From: Sasha Levin Date: Sun, 20 Jun 2021 03:15:23 +0000 (-0400) Subject: Fixes for 5.10 X-Git-Tag: v5.4.128~55 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=4bec30f4bbbc707b001f7a80ecb4acc63f352f81;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.10 Signed-off-by: Sasha Levin --- diff --git a/queue-5.10/alx-fix-an-error-handling-path-in-alx_probe.patch b/queue-5.10/alx-fix-an-error-handling-path-in-alx_probe.patch new file mode 100644 index 00000000000..9996abfcea1 --- /dev/null +++ b/queue-5.10/alx-fix-an-error-handling-path-in-alx_probe.patch @@ -0,0 +1,36 @@ +From f430128acd82a45258548463631f5a13bb2f99d9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Jun 2021 08:13:39 +0200 +Subject: alx: Fix an error handling path in 'alx_probe()' + +From: Christophe JAILLET + +[ Upstream commit 33e381448cf7a05d76ac0b47d4a6531ecd0e5c53 ] + +If an error occurs after a 'pci_enable_pcie_error_reporting()' call, it +must be undone by a corresponding 'pci_disable_pcie_error_reporting()' +call, as already done in the remove function. + +Fixes: ab69bde6b2e9 ("alx: add a simple AR816x/AR817x device driver") +Signed-off-by: Christophe JAILLET +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/atheros/alx/main.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/atheros/alx/main.c b/drivers/net/ethernet/atheros/alx/main.c +index 9e02f8864593..5e90df42b201 100644 +--- a/drivers/net/ethernet/atheros/alx/main.c ++++ b/drivers/net/ethernet/atheros/alx/main.c +@@ -1849,6 +1849,7 @@ out_free_netdev: + free_netdev(netdev); + out_pci_release: + pci_release_mem_regions(pdev); ++ pci_disable_pcie_error_reporting(pdev); + out_pci_disable: + pci_disable_device(pdev); + return err; +-- +2.30.2 + diff --git a/queue-5.10/batman-adv-avoid-warn_on-timing-related-checks.patch b/queue-5.10/batman-adv-avoid-warn_on-timing-related-checks.patch new file mode 100644 index 00000000000..832627a33b8 --- /dev/null +++ b/queue-5.10/batman-adv-avoid-warn_on-timing-related-checks.patch @@ -0,0 +1,45 @@ +From 7f26c3327db5ae088d8f139eac60c8be398a477a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 May 2021 21:00:27 +0200 +Subject: batman-adv: Avoid WARN_ON timing related checks + +From: Sven Eckelmann + +[ Upstream commit 9f460ae31c4435fd022c443a6029352217a16ac1 ] + +The soft/batadv interface for a queued OGM can be changed during the time +the OGM was queued for transmission and when the OGM is actually +transmitted by the worker. + +But WARN_ON must be used to denote kernel bugs and not to print simple +warnings. A warning can simply be printed using pr_warn. + +Reported-by: Tetsuo Handa +Reported-by: syzbot+c0b807de416427ff3dd1@syzkaller.appspotmail.com +Fixes: ef0a937f7a14 ("batman-adv: consider outgoing interface in OGM sending") +Signed-off-by: Sven Eckelmann +Signed-off-by: Simon Wunderlich +Signed-off-by: Sasha Levin +--- + net/batman-adv/bat_iv_ogm.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/net/batman-adv/bat_iv_ogm.c b/net/batman-adv/bat_iv_ogm.c +index 206d0b424712..c0aa54d21c64 100644 +--- a/net/batman-adv/bat_iv_ogm.c ++++ b/net/batman-adv/bat_iv_ogm.c +@@ -410,8 +410,10 @@ static void batadv_iv_ogm_emit(struct batadv_forw_packet *forw_packet) + if (WARN_ON(!forw_packet->if_outgoing)) + return; + +- if (WARN_ON(forw_packet->if_outgoing->soft_iface != soft_iface)) ++ if (forw_packet->if_outgoing->soft_iface != soft_iface) { ++ pr_warn("%s: soft interface switch for queued OGM\n", __func__); + return; ++ } + + if (forw_packet->if_incoming->if_status != BATADV_IF_ACTIVE) + return; +-- +2.30.2 + diff --git a/queue-5.10/be2net-fix-an-error-handling-path-in-be_probe.patch b/queue-5.10/be2net-fix-an-error-handling-path-in-be_probe.patch new file mode 100644 index 00000000000..2e86d6bee7b --- /dev/null +++ b/queue-5.10/be2net-fix-an-error-handling-path-in-be_probe.patch @@ -0,0 +1,37 @@ +From 7a274d972dcd9301b8bd1ef17565762ebf84c27d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Jun 2021 20:43:37 +0200 +Subject: be2net: Fix an error handling path in 'be_probe()' + +From: Christophe JAILLET + +[ Upstream commit c19c8c0e666f9259e2fc4d2fa4b9ff8e3b40ee5d ] + +If an error occurs after a 'pci_enable_pcie_error_reporting()' call, it +must be undone by a corresponding 'pci_disable_pcie_error_reporting()' +call, as already done in the remove function. + +Fixes: d6b6d9877878 ("be2net: use PCIe AER capability") +Signed-off-by: Christophe JAILLET +Acked-by: Somnath Kotur +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/emulex/benet/be_main.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/emulex/benet/be_main.c b/drivers/net/ethernet/emulex/benet/be_main.c +index 676e437d78f6..cb1e1ad652d0 100644 +--- a/drivers/net/ethernet/emulex/benet/be_main.c ++++ b/drivers/net/ethernet/emulex/benet/be_main.c +@@ -5905,6 +5905,7 @@ drv_cleanup: + unmap_bars: + be_unmap_pci_bars(adapter); + free_netdev: ++ pci_disable_pcie_error_reporting(pdev); + free_netdev(netdev); + rel_reg: + pci_release_regions(pdev); +-- +2.30.2 + diff --git a/queue-5.10/bnxt_en-call-bnxt_ethtool_free-in-bnxt_init_one-erro.patch b/queue-5.10/bnxt_en-call-bnxt_ethtool_free-in-bnxt_init_one-erro.patch new file mode 100644 index 00000000000..fca5227eae4 --- /dev/null +++ b/queue-5.10/bnxt_en-call-bnxt_ethtool_free-in-bnxt_init_one-erro.patch @@ -0,0 +1,37 @@ +From 872cfe6f231ad5983d17daa745b1711576000b12 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Jun 2021 02:07:27 -0400 +Subject: bnxt_en: Call bnxt_ethtool_free() in bnxt_init_one() error path + +From: Somnath Kotur + +[ Upstream commit 03400aaa69f916a376e11526cf591901a96a3a5c ] + +bnxt_ethtool_init() may have allocated some memory and we need to +call bnxt_ethtool_free() to properly unwind if bnxt_init_one() +fails. + +Fixes: 7c3809181468 ("bnxt_en: Refactor bnxt_init_one() and turn on TPA support on 57500 chips.") +Signed-off-by: Somnath Kotur +Signed-off-by: Michael Chan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/bnxt/bnxt.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +index 3f3d13a18992..db1b89f57079 100644 +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +@@ -12746,6 +12746,7 @@ init_err_pci_clean: + bnxt_hwrm_func_drv_unrgtr(bp); + bnxt_free_hwrm_short_cmd_req(bp); + bnxt_free_hwrm_resources(bp); ++ bnxt_ethtool_free(bp); + kfree(bp->fw_health); + bp->fw_health = NULL; + bnxt_cleanup_pci(bp); +-- +2.30.2 + diff --git a/queue-5.10/bnxt_en-fix-tqm-fastpath-ring-backing-store-computat.patch b/queue-5.10/bnxt_en-fix-tqm-fastpath-ring-backing-store-computat.patch new file mode 100644 index 00000000000..8f47fa87356 --- /dev/null +++ b/queue-5.10/bnxt_en-fix-tqm-fastpath-ring-backing-store-computat.patch @@ -0,0 +1,41 @@ +From b22b9a5dfd9263656b4450b5448c8920126f354d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Jun 2021 02:07:26 -0400 +Subject: bnxt_en: Fix TQM fastpath ring backing store computation + +From: Rukhsana Ansari + +[ Upstream commit c12e1643d2738bcd4e26252ce531878841dd3f38 ] + +TQM fastpath ring needs to be sized to store both the requester +and responder side of RoCE QPs in TQM for supporting bi-directional +tests. Fix bnxt_alloc_ctx_mem() to multiply the RoCE QPs by a factor of +2 when computing the number of entries for TQM fastpath ring. This +fixes an RX pipeline stall issue when running bi-directional max +RoCE QP tests. + +Fixes: c7dd7ab4b204 ("bnxt_en: Improve TQM ring context memory sizing formulas.") +Signed-off-by: Rukhsana Ansari +Signed-off-by: Michael Chan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/bnxt/bnxt.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +index 70c03c156e00..3f3d13a18992 100644 +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +@@ -7184,7 +7184,7 @@ skip_rdma: + entries_sp = ctx->vnic_max_vnic_entries + ctx->qp_max_l2_entries + + 2 * (extra_qps + ctx->qp_min_qp1_entries) + min; + entries_sp = roundup(entries_sp, ctx->tqm_entries_multiple); +- entries = ctx->qp_max_l2_entries + extra_qps + ctx->qp_min_qp1_entries; ++ entries = ctx->qp_max_l2_entries + 2 * (extra_qps + ctx->qp_min_qp1_entries); + entries = roundup(entries, ctx->tqm_entries_multiple); + entries = clamp_t(u32, entries, min, ctx->tqm_max_entries_per_ring); + for (i = 0; i < ctx->tqm_fp_rings_count + 1; i++) { +-- +2.30.2 + diff --git a/queue-5.10/bnxt_en-rediscover-phy-capabilities-after-firmware-r.patch b/queue-5.10/bnxt_en-rediscover-phy-capabilities-after-firmware-r.patch new file mode 100644 index 00000000000..a0a5330b7f7 --- /dev/null +++ b/queue-5.10/bnxt_en-rediscover-phy-capabilities-after-firmware-r.patch @@ -0,0 +1,49 @@ +From f56f9461301e0359400d0aff83a5a5c1365a7c1a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Jun 2021 02:07:25 -0400 +Subject: bnxt_en: Rediscover PHY capabilities after firmware reset + +From: Michael Chan + +[ Upstream commit 0afd6a4e8028cc487c240b6cfe04094e45a306e4 ] + +There is a missing bnxt_probe_phy() call in bnxt_fw_init_one() to +rediscover the PHY capabilities after a firmware reset. This can cause +some PHY related functionalities to fail after a firmware reset. For +example, in multi-host, the ability for any host to configure the PHY +settings may be lost after a firmware reset. + +Fixes: ec5d31e3c15d ("bnxt_en: Handle firmware reset status during IF_UP.") +Signed-off-by: Michael Chan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/bnxt/bnxt.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +index adfaa9a850dd..70c03c156e00 100644 +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +@@ -11353,6 +11353,8 @@ static void bnxt_fw_init_one_p3(struct bnxt *bp) + bnxt_hwrm_coal_params_qcaps(bp); + } + ++static int bnxt_probe_phy(struct bnxt *bp, bool fw_dflt); ++ + static int bnxt_fw_init_one(struct bnxt *bp) + { + int rc; +@@ -11367,6 +11369,9 @@ static int bnxt_fw_init_one(struct bnxt *bp) + netdev_err(bp->dev, "Firmware init phase 2 failed\n"); + return rc; + } ++ rc = bnxt_probe_phy(bp, false); ++ if (rc) ++ return rc; + rc = bnxt_approve_mac(bp, bp->dev->dev_addr, false); + if (rc) + return rc; +-- +2.30.2 + diff --git a/queue-5.10/bpf-fix-leakage-under-speculation-on-mispredicted-br.patch b/queue-5.10/bpf-fix-leakage-under-speculation-on-mispredicted-br.patch new file mode 100644 index 00000000000..9a4bd0b478f --- /dev/null +++ b/queue-5.10/bpf-fix-leakage-under-speculation-on-mispredicted-br.patch @@ -0,0 +1,222 @@ +From 02570137e311c9c16f5048f7c35fd83d821e9335 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 May 2021 15:47:32 +0000 +Subject: bpf: Fix leakage under speculation on mispredicted branches + +From: Daniel Borkmann + +[ Upstream commit 9183671af6dbf60a1219371d4ed73e23f43b49db ] + +The verifier only enumerates valid control-flow paths and skips paths that +are unreachable in the non-speculative domain. And so it can miss issues +under speculative execution on mispredicted branches. + +For example, a type confusion has been demonstrated with the following +crafted program: + + // r0 = pointer to a map array entry + // r6 = pointer to readable stack slot + // r9 = scalar controlled by attacker + 1: r0 = *(u64 *)(r0) // cache miss + 2: if r0 != 0x0 goto line 4 + 3: r6 = r9 + 4: if r0 != 0x1 goto line 6 + 5: r9 = *(u8 *)(r6) + 6: // leak r9 + +Since line 3 runs iff r0 == 0 and line 5 runs iff r0 == 1, the verifier +concludes that the pointer dereference on line 5 is safe. But: if the +attacker trains both the branches to fall-through, such that the following +is speculatively executed ... + + r6 = r9 + r9 = *(u8 *)(r6) + // leak r9 + +... then the program will dereference an attacker-controlled value and could +leak its content under speculative execution via side-channel. This requires +to mistrain the branch predictor, which can be rather tricky, because the +branches are mutually exclusive. However such training can be done at +congruent addresses in user space using different branches that are not +mutually exclusive. That is, by training branches in user space ... + + A: if r0 != 0x0 goto line C + B: ... + C: if r0 != 0x0 goto line D + D: ... + +... such that addresses A and C collide to the same CPU branch prediction +entries in the PHT (pattern history table) as those of the BPF program's +lines 2 and 4, respectively. A non-privileged attacker could simply brute +force such collisions in the PHT until observing the attack succeeding. + +Alternative methods to mistrain the branch predictor are also possible that +avoid brute forcing the collisions in the PHT. A reliable attack has been +demonstrated, for example, using the following crafted program: + + // r0 = pointer to a [control] map array entry + // r7 = *(u64 *)(r0 + 0), training/attack phase + // r8 = *(u64 *)(r0 + 8), oob address + // [...] + // r0 = pointer to a [data] map array entry + 1: if r7 == 0x3 goto line 3 + 2: r8 = r0 + // crafted sequence of conditional jumps to separate the conditional + // branch in line 193 from the current execution flow + 3: if r0 != 0x0 goto line 5 + 4: if r0 == 0x0 goto exit + 5: if r0 != 0x0 goto line 7 + 6: if r0 == 0x0 goto exit + [...] + 187: if r0 != 0x0 goto line 189 + 188: if r0 == 0x0 goto exit + // load any slowly-loaded value (due to cache miss in phase 3) ... + 189: r3 = *(u64 *)(r0 + 0x1200) + // ... and turn it into known zero for verifier, while preserving slowly- + // loaded dependency when executing: + 190: r3 &= 1 + 191: r3 &= 2 + // speculatively bypassed phase dependency + 192: r7 += r3 + 193: if r7 == 0x3 goto exit + 194: r4 = *(u8 *)(r8 + 0) + // leak r4 + +As can be seen, in training phase (phase != 0x3), the condition in line 1 +turns into false and therefore r8 with the oob address is overridden with +the valid map value address, which in line 194 we can read out without +issues. However, in attack phase, line 2 is skipped, and due to the cache +miss in line 189 where the map value is (zeroed and later) added to the +phase register, the condition in line 193 takes the fall-through path due +to prior branch predictor training, where under speculation, it'll load the +byte at oob address r8 (unknown scalar type at that point) which could then +be leaked via side-channel. + +One way to mitigate these is to 'branch off' an unreachable path, meaning, +the current verification path keeps following the is_branch_taken() path +and we push the other branch to the verification stack. Given this is +unreachable from the non-speculative domain, this branch's vstate is +explicitly marked as speculative. This is needed for two reasons: i) if +this path is solely seen from speculative execution, then we later on still +want the dead code elimination to kick in in order to sanitize these +instructions with jmp-1s, and ii) to ensure that paths walked in the +non-speculative domain are not pruned from earlier walks of paths walked in +the speculative domain. Additionally, for robustness, we mark the registers +which have been part of the conditional as unknown in the speculative path +given there should be no assumptions made on their content. + +The fix in here mitigates type confusion attacks described earlier due to +i) all code paths in the BPF program being explored and ii) existing +verifier logic already ensuring that given memory access instruction +references one specific data structure. + +An alternative to this fix that has also been looked at in this scope was to +mark aux->alu_state at the jump instruction with a BPF_JMP_TAKEN state as +well as direction encoding (always-goto, always-fallthrough, unknown), such +that mixing of different always-* directions themselves as well as mixing of +always-* with unknown directions would cause a program rejection by the +verifier, e.g. programs with constructs like 'if ([...]) { x = 0; } else +{ x = 1; }' with subsequent 'if (x == 1) { [...] }'. For unprivileged, this +would result in only single direction always-* taken paths, and unknown taken +paths being allowed, such that the former could be patched from a conditional +jump to an unconditional jump (ja). Compared to this approach here, it would +have two downsides: i) valid programs that otherwise are not performing any +pointer arithmetic, etc, would potentially be rejected/broken, and ii) we are +required to turn off path pruning for unprivileged, where both can be avoided +in this work through pushing the invalid branch to the verification stack. + +The issue was originally discovered by Adam and Ofek, and later independently +discovered and reported as a result of Benedict and Piotr's research work. + +Fixes: b2157399cc98 ("bpf: prevent out-of-bounds speculation") +Reported-by: Adam Morrison +Reported-by: Ofek Kirzner +Reported-by: Benedict Schlueter +Reported-by: Piotr Krysiuk +Signed-off-by: Daniel Borkmann +Reviewed-by: John Fastabend +Reviewed-by: Benedict Schlueter +Reviewed-by: Piotr Krysiuk +Acked-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + kernel/bpf/verifier.c | 44 +++++++++++++++++++++++++++++++++++++++---- + 1 file changed, 40 insertions(+), 4 deletions(-) + +diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c +index 4f50d6f128be..da8fc57ff5b2 100644 +--- a/kernel/bpf/verifier.c ++++ b/kernel/bpf/verifier.c +@@ -5740,6 +5740,27 @@ struct bpf_sanitize_info { + bool mask_to_left; + }; + ++static struct bpf_verifier_state * ++sanitize_speculative_path(struct bpf_verifier_env *env, ++ const struct bpf_insn *insn, ++ u32 next_idx, u32 curr_idx) ++{ ++ struct bpf_verifier_state *branch; ++ struct bpf_reg_state *regs; ++ ++ branch = push_stack(env, next_idx, curr_idx, true); ++ if (branch && insn) { ++ regs = branch->frame[branch->curframe]->regs; ++ if (BPF_SRC(insn->code) == BPF_K) { ++ mark_reg_unknown(env, regs, insn->dst_reg); ++ } else if (BPF_SRC(insn->code) == BPF_X) { ++ mark_reg_unknown(env, regs, insn->dst_reg); ++ mark_reg_unknown(env, regs, insn->src_reg); ++ } ++ } ++ return branch; ++} ++ + static int sanitize_ptr_alu(struct bpf_verifier_env *env, + struct bpf_insn *insn, + const struct bpf_reg_state *ptr_reg, +@@ -5823,7 +5844,8 @@ do_sim: + tmp = *dst_reg; + *dst_reg = *ptr_reg; + } +- ret = push_stack(env, env->insn_idx + 1, env->insn_idx, true); ++ ret = sanitize_speculative_path(env, NULL, env->insn_idx + 1, ++ env->insn_idx); + if (!ptr_is_dst_reg && ret) + *dst_reg = tmp; + return !ret ? REASON_STACK : 0; +@@ -7974,14 +7996,28 @@ static int check_cond_jmp_op(struct bpf_verifier_env *env, + if (err) + return err; + } ++ + if (pred == 1) { +- /* only follow the goto, ignore fall-through */ ++ /* Only follow the goto, ignore fall-through. If needed, push ++ * the fall-through branch for simulation under speculative ++ * execution. ++ */ ++ if (!env->bypass_spec_v1 && ++ !sanitize_speculative_path(env, insn, *insn_idx + 1, ++ *insn_idx)) ++ return -EFAULT; + *insn_idx += insn->off; + return 0; + } else if (pred == 0) { +- /* only follow fall-through branch, since +- * that's where the program will go ++ /* Only follow the fall-through branch, since that's where the ++ * program will go. If needed, push the goto branch for ++ * simulation under speculative execution. + */ ++ if (!env->bypass_spec_v1 && ++ !sanitize_speculative_path(env, insn, ++ *insn_idx + insn->off + 1, ++ *insn_idx)) ++ return -EFAULT; + return 0; + } + +-- +2.30.2 + diff --git a/queue-5.10/cxgb4-fix-endianness-when-flashing-boot-image.patch b/queue-5.10/cxgb4-fix-endianness-when-flashing-boot-image.patch new file mode 100644 index 00000000000..e7837f7077f --- /dev/null +++ b/queue-5.10/cxgb4-fix-endianness-when-flashing-boot-image.patch @@ -0,0 +1,153 @@ +From 3a4c2949b7dc66da01400415ef01f362c59a55fe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Jun 2021 12:17:45 +0530 +Subject: cxgb4: fix endianness when flashing boot image + +From: Rahul Lakkireddy + +[ Upstream commit 42a2039753a7f758ba5c85cb199fcf10dc2111eb ] + +Boot images are copied to memory and updated with current underlying +device ID before flashing them to adapter. Ensure the updated images +are always flashed in Big Endian to allow the firmware to read the +new images during boot properly. + +Fixes: 550883558f17 ("cxgb4: add support to flash boot image") +Signed-off-by: Rahul Lakkireddy +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/chelsio/cxgb4/t4_hw.c | 44 +++++++++++++--------- + 1 file changed, 27 insertions(+), 17 deletions(-) + +diff --git a/drivers/net/ethernet/chelsio/cxgb4/t4_hw.c b/drivers/net/ethernet/chelsio/cxgb4/t4_hw.c +index 581670dced6e..236f6bf2858a 100644 +--- a/drivers/net/ethernet/chelsio/cxgb4/t4_hw.c ++++ b/drivers/net/ethernet/chelsio/cxgb4/t4_hw.c +@@ -3067,16 +3067,19 @@ int t4_read_flash(struct adapter *adapter, unsigned int addr, + * @addr: the start address to write + * @n: length of data to write in bytes + * @data: the data to write ++ * @byte_oriented: whether to store data as bytes or as words + * + * Writes up to a page of data (256 bytes) to the serial flash starting + * at the given address. All the data must be written to the same page. ++ * If @byte_oriented is set the write data is stored as byte stream ++ * (i.e. matches what on disk), otherwise in big-endian. + */ + static int t4_write_flash(struct adapter *adapter, unsigned int addr, +- unsigned int n, const u8 *data) ++ unsigned int n, const u8 *data, bool byte_oriented) + { +- int ret; +- u32 buf[64]; + unsigned int i, c, left, val, offset = addr & 0xff; ++ u32 buf[64]; ++ int ret; + + if (addr >= adapter->params.sf_size || offset + n > SF_PAGE_SIZE) + return -EINVAL; +@@ -3087,10 +3090,14 @@ static int t4_write_flash(struct adapter *adapter, unsigned int addr, + (ret = sf1_write(adapter, 4, 1, 1, val)) != 0) + goto unlock; + +- for (left = n; left; left -= c) { ++ for (left = n; left; left -= c, data += c) { + c = min(left, 4U); +- for (val = 0, i = 0; i < c; ++i) +- val = (val << 8) + *data++; ++ for (val = 0, i = 0; i < c; ++i) { ++ if (byte_oriented) ++ val = (val << 8) + data[i]; ++ else ++ val = (val << 8) + data[c - i - 1]; ++ } + + ret = sf1_write(adapter, c, c != left, 1, val); + if (ret) +@@ -3103,7 +3110,8 @@ static int t4_write_flash(struct adapter *adapter, unsigned int addr, + t4_write_reg(adapter, SF_OP_A, 0); /* unlock SF */ + + /* Read the page to verify the write succeeded */ +- ret = t4_read_flash(adapter, addr & ~0xff, ARRAY_SIZE(buf), buf, 1); ++ ret = t4_read_flash(adapter, addr & ~0xff, ARRAY_SIZE(buf), buf, ++ byte_oriented); + if (ret) + return ret; + +@@ -3699,7 +3707,7 @@ int t4_load_fw(struct adapter *adap, const u8 *fw_data, unsigned int size) + */ + memcpy(first_page, fw_data, SF_PAGE_SIZE); + ((struct fw_hdr *)first_page)->fw_ver = cpu_to_be32(0xffffffff); +- ret = t4_write_flash(adap, fw_start, SF_PAGE_SIZE, first_page); ++ ret = t4_write_flash(adap, fw_start, SF_PAGE_SIZE, first_page, true); + if (ret) + goto out; + +@@ -3707,14 +3715,14 @@ int t4_load_fw(struct adapter *adap, const u8 *fw_data, unsigned int size) + for (size -= SF_PAGE_SIZE; size; size -= SF_PAGE_SIZE) { + addr += SF_PAGE_SIZE; + fw_data += SF_PAGE_SIZE; +- ret = t4_write_flash(adap, addr, SF_PAGE_SIZE, fw_data); ++ ret = t4_write_flash(adap, addr, SF_PAGE_SIZE, fw_data, true); + if (ret) + goto out; + } + +- ret = t4_write_flash(adap, +- fw_start + offsetof(struct fw_hdr, fw_ver), +- sizeof(hdr->fw_ver), (const u8 *)&hdr->fw_ver); ++ ret = t4_write_flash(adap, fw_start + offsetof(struct fw_hdr, fw_ver), ++ sizeof(hdr->fw_ver), (const u8 *)&hdr->fw_ver, ++ true); + out: + if (ret) + dev_err(adap->pdev_dev, "firmware download failed, error %d\n", +@@ -10215,7 +10223,7 @@ int t4_load_cfg(struct adapter *adap, const u8 *cfg_data, unsigned int size) + n = size - i; + else + n = SF_PAGE_SIZE; +- ret = t4_write_flash(adap, addr, n, cfg_data); ++ ret = t4_write_flash(adap, addr, n, cfg_data, true); + if (ret) + goto out; + +@@ -10684,13 +10692,14 @@ int t4_load_boot(struct adapter *adap, u8 *boot_data, + for (size -= SF_PAGE_SIZE; size; size -= SF_PAGE_SIZE) { + addr += SF_PAGE_SIZE; + boot_data += SF_PAGE_SIZE; +- ret = t4_write_flash(adap, addr, SF_PAGE_SIZE, boot_data); ++ ret = t4_write_flash(adap, addr, SF_PAGE_SIZE, boot_data, ++ false); + if (ret) + goto out; + } + + ret = t4_write_flash(adap, boot_sector, SF_PAGE_SIZE, +- (const u8 *)header); ++ (const u8 *)header, false); + + out: + if (ret) +@@ -10765,7 +10774,7 @@ int t4_load_bootcfg(struct adapter *adap, const u8 *cfg_data, unsigned int size) + for (i = 0; i < size; i += SF_PAGE_SIZE) { + n = min_t(u32, size - i, SF_PAGE_SIZE); + +- ret = t4_write_flash(adap, addr, n, cfg_data); ++ ret = t4_write_flash(adap, addr, n, cfg_data, false); + if (ret) + goto out; + +@@ -10777,7 +10786,8 @@ int t4_load_bootcfg(struct adapter *adap, const u8 *cfg_data, unsigned int size) + for (i = 0; i < npad; i++) { + u8 data = 0; + +- ret = t4_write_flash(adap, cfg_addr + size + i, 1, &data); ++ ret = t4_write_flash(adap, cfg_addr + size + i, 1, &data, ++ false); + if (ret) + goto out; + } +-- +2.30.2 + diff --git a/queue-5.10/cxgb4-fix-sleep-in-atomic-when-flashing-phy-firmware.patch b/queue-5.10/cxgb4-fix-sleep-in-atomic-when-flashing-phy-firmware.patch new file mode 100644 index 00000000000..9eb56e4e684 --- /dev/null +++ b/queue-5.10/cxgb4-fix-sleep-in-atomic-when-flashing-phy-firmware.patch @@ -0,0 +1,72 @@ +From e82c8037869d72d7d00b41070dd36766ac59a565 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Jun 2021 12:17:46 +0530 +Subject: cxgb4: fix sleep in atomic when flashing PHY firmware + +From: Rahul Lakkireddy + +[ Upstream commit f046bd0ae15d8a0bbe57d4647da182420f720c3d ] + +Before writing new PHY firmware to on-chip memory, driver queries +firmware for current running PHY firmware version, which can result +in sleep waiting for reply. So, move spinlock closer to the actual +on-chip memory write operation, instead of taking it at the callers. + +Fixes: 5fff701c838e ("cxgb4: always sync access when flashing PHY firmware") +Signed-off-by: Rahul Lakkireddy +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/chelsio/cxgb4/cxgb4_ethtool.c | 2 -- + drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c | 2 -- + drivers/net/ethernet/chelsio/cxgb4/t4_hw.c | 2 ++ + 3 files changed, 2 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_ethtool.c b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_ethtool.c +index 61ea3ec5c3fc..bc2de01d0539 100644 +--- a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_ethtool.c ++++ b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_ethtool.c +@@ -1337,9 +1337,7 @@ static int cxgb4_ethtool_flash_phy(struct net_device *netdev, + return ret; + } + +- spin_lock_bh(&adap->win0_lock); + ret = t4_load_phy_fw(adap, MEMWIN_NIC, NULL, data, size); +- spin_unlock_bh(&adap->win0_lock); + if (ret) + dev_err(adap->pdev_dev, "Failed to load PHY FW\n"); + +diff --git a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c +index 04dcb5e4b316..8be525c5e2e4 100644 +--- a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c ++++ b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c +@@ -4428,10 +4428,8 @@ static int adap_init0_phy(struct adapter *adap) + + /* Load PHY Firmware onto adapter. + */ +- spin_lock_bh(&adap->win0_lock); + ret = t4_load_phy_fw(adap, MEMWIN_NIC, phy_info->phy_fw_version, + (u8 *)phyf->data, phyf->size); +- spin_unlock_bh(&adap->win0_lock); + if (ret < 0) + dev_err(adap->pdev_dev, "PHY Firmware transfer error %d\n", + -ret); +diff --git a/drivers/net/ethernet/chelsio/cxgb4/t4_hw.c b/drivers/net/ethernet/chelsio/cxgb4/t4_hw.c +index 236f6bf2858a..964ea3491b80 100644 +--- a/drivers/net/ethernet/chelsio/cxgb4/t4_hw.c ++++ b/drivers/net/ethernet/chelsio/cxgb4/t4_hw.c +@@ -3827,9 +3827,11 @@ int t4_load_phy_fw(struct adapter *adap, int win, + /* Copy the supplied PHY Firmware image to the adapter memory location + * allocated by the adapter firmware. + */ ++ spin_lock_bh(&adap->win0_lock); + ret = t4_memory_rw(adap, win, mtype, maddr, + phy_fw_size, (__be32 *)phy_fw_data, + T4_MEMORY_WRITE); ++ spin_unlock_bh(&adap->win0_lock); + if (ret) + return ret; + +-- +2.30.2 + diff --git a/queue-5.10/cxgb4-fix-wrong-ethtool-n-tuple-rule-lookup.patch b/queue-5.10/cxgb4-fix-wrong-ethtool-n-tuple-rule-lookup.patch new file mode 100644 index 00000000000..a77494c2b32 --- /dev/null +++ b/queue-5.10/cxgb4-fix-wrong-ethtool-n-tuple-rule-lookup.patch @@ -0,0 +1,78 @@ +From d6002283fbc7f0e861d1458f23b3eabdfff56747 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 12 Jun 2021 19:20:44 +0530 +Subject: cxgb4: fix wrong ethtool n-tuple rule lookup + +From: Rahul Lakkireddy + +[ Upstream commit 09427c1915f754ebe7d3d8e54e79bbee48afe916 ] + +The TID returned during successful filter creation is relative to +the region in which the filter is created. Using it directly always +returns Hi Prio/Normal filter region's entry for the first couple of +entries, even though the rule is actually inserted in Hash region. +Fix by analyzing in which region the filter has been inserted and +save the absolute TID to be used for lookup later. + +Fixes: db43b30cd89c ("cxgb4: add ethtool n-tuple filter deletion") +Signed-off-by: Rahul Lakkireddy +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + .../ethernet/chelsio/cxgb4/cxgb4_ethtool.c | 24 ++++++++++++------- + 1 file changed, 16 insertions(+), 8 deletions(-) + +diff --git a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_ethtool.c b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_ethtool.c +index df20485b5744..83ed10ac8660 100644 +--- a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_ethtool.c ++++ b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_ethtool.c +@@ -1624,16 +1624,14 @@ static struct filter_entry *cxgb4_get_filter_entry(struct adapter *adap, + u32 ftid) + { + struct tid_info *t = &adap->tids; +- struct filter_entry *f; + +- if (ftid < t->nhpftids) +- f = &adap->tids.hpftid_tab[ftid]; +- else if (ftid < t->nftids) +- f = &adap->tids.ftid_tab[ftid - t->nhpftids]; +- else +- f = lookup_tid(&adap->tids, ftid); ++ if (ftid >= t->hpftid_base && ftid < t->hpftid_base + t->nhpftids) ++ return &t->hpftid_tab[ftid - t->hpftid_base]; ++ ++ if (ftid >= t->ftid_base && ftid < t->ftid_base + t->nftids) ++ return &t->ftid_tab[ftid - t->ftid_base]; + +- return f; ++ return lookup_tid(t, ftid); + } + + static void cxgb4_fill_filter_rule(struct ethtool_rx_flow_spec *fs, +@@ -1840,6 +1838,11 @@ static int cxgb4_ntuple_del_filter(struct net_device *dev, + filter_id = filter_info->loc_array[cmd->fs.location]; + f = cxgb4_get_filter_entry(adapter, filter_id); + ++ if (f->fs.prio) ++ filter_id -= adapter->tids.hpftid_base; ++ else if (!f->fs.hash) ++ filter_id -= (adapter->tids.ftid_base - adapter->tids.nhpftids); ++ + ret = cxgb4_flow_rule_destroy(dev, f->fs.tc_prio, &f->fs, filter_id); + if (ret) + goto err; +@@ -1899,6 +1902,11 @@ static int cxgb4_ntuple_set_filter(struct net_device *netdev, + + filter_info = &adapter->ethtool_filters->port[pi->port_id]; + ++ if (fs.prio) ++ tid += adapter->tids.hpftid_base; ++ else if (!fs.hash) ++ tid += (adapter->tids.ftid_base - adapter->tids.nhpftids); ++ + filter_info->loc_array[cmd->fs.location] = tid; + set_bit(cmd->fs.location, filter_info->bmap); + filter_info->in_use++; +-- +2.30.2 + diff --git a/queue-5.10/cxgb4-fix-wrong-shift.patch b/queue-5.10/cxgb4-fix-wrong-shift.patch new file mode 100644 index 00000000000..565360af862 --- /dev/null +++ b/queue-5.10/cxgb4-fix-wrong-shift.patch @@ -0,0 +1,36 @@ +From 6cac49eee1ae6dead1b415f8db7dabd3eec0faee Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Jun 2021 11:29:48 +0200 +Subject: cxgb4: fix wrong shift. + +From: Pavel Machek + +[ Upstream commit 39eb028183bc7378bb6187067e20bf6d8c836407 ] + +While fixing coverity warning, commit dd2c79677375 introduced typo in +shift value. Fix that. + +Signed-off-by: Pavel Machek (CIP) +Fixes: dd2c79677375 ("cxgb4: Fix unintentional sign extension issues") +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/chelsio/cxgb4/cxgb4_filter.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_filter.c b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_filter.c +index e664e05b9f02..5fbc087268db 100644 +--- a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_filter.c ++++ b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_filter.c +@@ -198,7 +198,7 @@ static void set_nat_params(struct adapter *adap, struct filter_entry *f, + WORD_MASK, f->fs.nat_lip[3] | + f->fs.nat_lip[2] << 8 | + f->fs.nat_lip[1] << 16 | +- (u64)f->fs.nat_lip[0] << 25, 1); ++ (u64)f->fs.nat_lip[0] << 24, 1); + } + } + +-- +2.30.2 + diff --git a/queue-5.10/cxgb4-halt-chip-before-flashing-phy-firmware-image.patch b/queue-5.10/cxgb4-halt-chip-before-flashing-phy-firmware-image.patch new file mode 100644 index 00000000000..f13342f748d --- /dev/null +++ b/queue-5.10/cxgb4-halt-chip-before-flashing-phy-firmware-image.patch @@ -0,0 +1,61 @@ +From 1b1445b7e72ac92ad7c6defeafa40734de71fa42 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Jun 2021 12:17:47 +0530 +Subject: cxgb4: halt chip before flashing PHY firmware image + +From: Rahul Lakkireddy + +[ Upstream commit 6d297540f75d759489054e8b07932208fc4db2cb ] + +When using firmware-assisted PHY firmware image write to flash, +halt the chip before beginning the flash write operation to allow +the running firmware to store the image persistently. Otherwise, +the running firmware will only store the PHY image in local on-chip +RAM, which will be lost after next reset. + +Fixes: 4ee339e1e92a ("cxgb4: add support to flash PHY image") +Signed-off-by: Rahul Lakkireddy +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + .../ethernet/chelsio/cxgb4/cxgb4_ethtool.c | 22 ++++++++++++++++--- + 1 file changed, 19 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_ethtool.c b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_ethtool.c +index bc2de01d0539..df20485b5744 100644 +--- a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_ethtool.c ++++ b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_ethtool.c +@@ -1337,11 +1337,27 @@ static int cxgb4_ethtool_flash_phy(struct net_device *netdev, + return ret; + } + ++ /* We have to RESET the chip/firmware because we need the ++ * chip in uninitialized state for loading new PHY image. ++ * Otherwise, the running firmware will only store the PHY ++ * image in local RAM which will be lost after next reset. ++ */ ++ ret = t4_fw_reset(adap, adap->mbox, PIORSTMODE_F | PIORST_F); ++ if (ret < 0) { ++ dev_err(adap->pdev_dev, ++ "Set FW to RESET for flashing PHY FW failed. ret: %d\n", ++ ret); ++ return ret; ++ } ++ + ret = t4_load_phy_fw(adap, MEMWIN_NIC, NULL, data, size); +- if (ret) +- dev_err(adap->pdev_dev, "Failed to load PHY FW\n"); ++ if (ret < 0) { ++ dev_err(adap->pdev_dev, "Failed to load PHY FW. ret: %d\n", ++ ret); ++ return ret; ++ } + +- return ret; ++ return 0; + } + + static int cxgb4_ethtool_flash_fw(struct net_device *netdev, +-- +2.30.2 + diff --git a/queue-5.10/ethtool-strset-fix-message-length-calculation.patch b/queue-5.10/ethtool-strset-fix-message-length-calculation.patch new file mode 100644 index 00000000000..87c10c4dcaa --- /dev/null +++ b/queue-5.10/ethtool-strset-fix-message-length-calculation.patch @@ -0,0 +1,51 @@ +From a6e24afe6db99bfedb578890251f380ceefa7344 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Jun 2021 18:49:48 -0700 +Subject: ethtool: strset: fix message length calculation + +From: Jakub Kicinski + +[ Upstream commit e175aef902697826d344ce3a12189329848fe898 ] + +Outer nest for ETHTOOL_A_STRSET_STRINGSETS is not accounted for. +This may result in ETHTOOL_MSG_STRSET_GET producing a warning like: + + calculated message payload length (684) not sufficient + WARNING: CPU: 0 PID: 30967 at net/ethtool/netlink.c:369 ethnl_default_doit+0x87a/0xa20 + +and a splat. + +As usually with such warnings three conditions must be met for the warning +to trigger: + - there must be no skb size rounding up (e.g. reply_size of 684); + - string set must be per-device (so that the header gets populated); + - the device name must be at least 12 characters long. + +all in all with current user space it looks like reading priv flags +is the only place this could potentially happen. Or with syzbot :) + +Reported-by: syzbot+59aa77b92d06cd5a54f2@syzkaller.appspotmail.com +Fixes: 71921690f974 ("ethtool: provide string sets with STRSET_GET request") +Signed-off-by: Jakub Kicinski +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ethtool/strset.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/ethtool/strset.c b/net/ethtool/strset.c +index c3a5489964cd..9908b922cce8 100644 +--- a/net/ethtool/strset.c ++++ b/net/ethtool/strset.c +@@ -328,6 +328,8 @@ static int strset_reply_size(const struct ethnl_req_info *req_base, + int len = 0; + int ret; + ++ len += nla_total_size(0); /* ETHTOOL_A_STRSET_STRINGSETS */ ++ + for (i = 0; i < ETH_SS_COUNT; i++) { + const struct strset_info *set_info = &data->sets[i]; + +-- +2.30.2 + diff --git a/queue-5.10/ice-add-ndo_bpf-callback-for-safe-mode-netdev-ops.patch b/queue-5.10/ice-add-ndo_bpf-callback-for-safe-mode-netdev-ops.patch new file mode 100644 index 00000000000..1db1aa713c1 --- /dev/null +++ b/queue-5.10/ice-add-ndo_bpf-callback-for-safe-mode-netdev-ops.patch @@ -0,0 +1,70 @@ +From 86a5178d46e69b647b9037aa30fdb29b964a1dcd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 May 2021 08:34:59 +0200 +Subject: ice: add ndo_bpf callback for safe mode netdev ops + +From: Maciej Fijalkowski + +[ Upstream commit ebc5399ea1dfcddac31974091086a3379141899b ] + +ice driver requires a programmable pipeline firmware package in order to +have a support for advanced features. Otherwise, driver falls back to so +called 'safe mode'. For that mode, ndo_bpf callback is not exposed and +when user tries to load XDP program, the following happens: + +$ sudo ./xdp1 enp179s0f1 +libbpf: Kernel error message: Underlying driver does not support XDP in native mode +link set xdp fd failed + +which is sort of confusing, as there is a native XDP support, but not in +the current mode. Improve the user experience by providing the specific +ndo_bpf callback dedicated for safe mode which will make use of extack +to explicitly let the user know that the DDP package is missing and +that's the reason that the XDP can't be loaded onto interface currently. + +Cc: Jamal Hadi Salim +Fixes: efc2214b6047 ("ice: Add support for XDP") +Signed-off-by: Maciej Fijalkowski +Tested-by: Kiran Bhandare +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ice/ice_main.c | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +diff --git a/drivers/net/ethernet/intel/ice/ice_main.c b/drivers/net/ethernet/intel/ice/ice_main.c +index 6f30aad7695f..1567ddd4c5b8 100644 +--- a/drivers/net/ethernet/intel/ice/ice_main.c ++++ b/drivers/net/ethernet/intel/ice/ice_main.c +@@ -2539,6 +2539,20 @@ ice_xdp_setup_prog(struct ice_vsi *vsi, struct bpf_prog *prog, + return (ret || xdp_ring_err) ? -ENOMEM : 0; + } + ++/** ++ * ice_xdp_safe_mode - XDP handler for safe mode ++ * @dev: netdevice ++ * @xdp: XDP command ++ */ ++static int ice_xdp_safe_mode(struct net_device __always_unused *dev, ++ struct netdev_bpf *xdp) ++{ ++ NL_SET_ERR_MSG_MOD(xdp->extack, ++ "Please provide working DDP firmware package in order to use XDP\n" ++ "Refer to Documentation/networking/device_drivers/ethernet/intel/ice.rst"); ++ return -EOPNOTSUPP; ++} ++ + /** + * ice_xdp - implements XDP handler + * @dev: netdevice +@@ -6786,6 +6800,7 @@ static const struct net_device_ops ice_netdev_safe_mode_ops = { + .ndo_change_mtu = ice_change_mtu, + .ndo_get_stats64 = ice_get_stats64, + .ndo_tx_timeout = ice_tx_timeout, ++ .ndo_bpf = ice_xdp_safe_mode, + }; + + static const struct net_device_ops ice_netdev_ops = { +-- +2.30.2 + diff --git a/queue-5.10/ice-parameterize-functions-responsible-for-tx-ring-m.patch b/queue-5.10/ice-parameterize-functions-responsible-for-tx-ring-m.patch new file mode 100644 index 00000000000..d2122341eb6 --- /dev/null +++ b/queue-5.10/ice-parameterize-functions-responsible-for-tx-ring-m.patch @@ -0,0 +1,120 @@ +From 793f1df9c97f06fea0e9bcec291705378c1ce905 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 May 2021 08:35:00 +0200 +Subject: ice: parameterize functions responsible for Tx ring management + +From: Maciej Fijalkowski + +[ Upstream commit 2e84f6b3773f43263124c76499c0c4ec3f40aa9b ] + +Commit ae15e0ba1b33 ("ice: Change number of XDP Tx queues to match +number of Rx queues") tried to address the incorrect setting of XDP +queue count that was based on the Tx queue count, whereas in theory we +should provide the XDP queue per Rx queue. However, the routines that +setup and destroy the set of Tx resources are still based on the +vsi->num_txq. + +Ice supports the asynchronous Tx/Rx queue count, so for a setup where +vsi->num_txq > vsi->num_rxq, ice_vsi_stop_tx_rings and ice_vsi_cfg_txqs +will be accessing the vsi->xdp_rings out of the bounds. + +Parameterize two mentioned functions so they get the size of Tx resources +array as the input. + +Fixes: ae15e0ba1b33 ("ice: Change number of XDP Tx queues to match number of Rx queues") +Signed-off-by: Maciej Fijalkowski +Tested-by: Kiran Bhandare +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ice/ice_lib.c | 18 ++++++++++-------- + 1 file changed, 10 insertions(+), 8 deletions(-) + +diff --git a/drivers/net/ethernet/intel/ice/ice_lib.c b/drivers/net/ethernet/intel/ice/ice_lib.c +index fb20c6971f4c..dc944d605a74 100644 +--- a/drivers/net/ethernet/intel/ice/ice_lib.c ++++ b/drivers/net/ethernet/intel/ice/ice_lib.c +@@ -1705,12 +1705,13 @@ setup_rings: + * ice_vsi_cfg_txqs - Configure the VSI for Tx + * @vsi: the VSI being configured + * @rings: Tx ring array to be configured ++ * @count: number of Tx ring array elements + * + * Return 0 on success and a negative value on error + * Configure the Tx VSI for operation. + */ + static int +-ice_vsi_cfg_txqs(struct ice_vsi *vsi, struct ice_ring **rings) ++ice_vsi_cfg_txqs(struct ice_vsi *vsi, struct ice_ring **rings, u16 count) + { + struct ice_aqc_add_tx_qgrp *qg_buf; + u16 q_idx = 0; +@@ -1722,7 +1723,7 @@ ice_vsi_cfg_txqs(struct ice_vsi *vsi, struct ice_ring **rings) + + qg_buf->num_txqs = 1; + +- for (q_idx = 0; q_idx < vsi->num_txq; q_idx++) { ++ for (q_idx = 0; q_idx < count; q_idx++) { + err = ice_vsi_cfg_txq(vsi, rings[q_idx], qg_buf); + if (err) + goto err_cfg_txqs; +@@ -1742,7 +1743,7 @@ err_cfg_txqs: + */ + int ice_vsi_cfg_lan_txqs(struct ice_vsi *vsi) + { +- return ice_vsi_cfg_txqs(vsi, vsi->tx_rings); ++ return ice_vsi_cfg_txqs(vsi, vsi->tx_rings, vsi->num_txq); + } + + /** +@@ -1757,7 +1758,7 @@ int ice_vsi_cfg_xdp_txqs(struct ice_vsi *vsi) + int ret; + int i; + +- ret = ice_vsi_cfg_txqs(vsi, vsi->xdp_rings); ++ ret = ice_vsi_cfg_txqs(vsi, vsi->xdp_rings, vsi->num_xdp_txq); + if (ret) + return ret; + +@@ -1955,17 +1956,18 @@ int ice_vsi_stop_all_rx_rings(struct ice_vsi *vsi) + * @rst_src: reset source + * @rel_vmvf_num: Relative ID of VF/VM + * @rings: Tx ring array to be stopped ++ * @count: number of Tx ring array elements + */ + static int + ice_vsi_stop_tx_rings(struct ice_vsi *vsi, enum ice_disq_rst_src rst_src, +- u16 rel_vmvf_num, struct ice_ring **rings) ++ u16 rel_vmvf_num, struct ice_ring **rings, u16 count) + { + u16 q_idx; + + if (vsi->num_txq > ICE_LAN_TXQ_MAX_QDIS) + return -EINVAL; + +- for (q_idx = 0; q_idx < vsi->num_txq; q_idx++) { ++ for (q_idx = 0; q_idx < count; q_idx++) { + struct ice_txq_meta txq_meta = { }; + int status; + +@@ -1993,7 +1995,7 @@ int + ice_vsi_stop_lan_tx_rings(struct ice_vsi *vsi, enum ice_disq_rst_src rst_src, + u16 rel_vmvf_num) + { +- return ice_vsi_stop_tx_rings(vsi, rst_src, rel_vmvf_num, vsi->tx_rings); ++ return ice_vsi_stop_tx_rings(vsi, rst_src, rel_vmvf_num, vsi->tx_rings, vsi->num_txq); + } + + /** +@@ -2002,7 +2004,7 @@ ice_vsi_stop_lan_tx_rings(struct ice_vsi *vsi, enum ice_disq_rst_src rst_src, + */ + int ice_vsi_stop_xdp_tx_rings(struct ice_vsi *vsi) + { +- return ice_vsi_stop_tx_rings(vsi, ICE_NO_RESET, 0, vsi->xdp_rings); ++ return ice_vsi_stop_tx_rings(vsi, ICE_NO_RESET, 0, vsi->xdp_rings, vsi->num_xdp_txq); + } + + /** +-- +2.30.2 + diff --git a/queue-5.10/icmp-don-t-send-out-icmp-messages-with-a-source-addr.patch b/queue-5.10/icmp-don-t-send-out-icmp-messages-with-a-source-addr.patch new file mode 100644 index 00000000000..f39fdd7b51c --- /dev/null +++ b/queue-5.10/icmp-don-t-send-out-icmp-messages-with-a-source-addr.patch @@ -0,0 +1,100 @@ +From b8088befbc1c5afa7506363c64ea9515d7edee79 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Jun 2021 13:04:35 +0200 +Subject: icmp: don't send out ICMP messages with a source address of 0.0.0.0 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Toke Høiland-Jørgensen + +[ Upstream commit 321827477360934dc040e9d3c626bf1de6c3ab3c ] + +When constructing ICMP response messages, the kernel will try to pick a +suitable source address for the outgoing packet. However, if no IPv4 +addresses are configured on the system at all, this will fail and we end up +producing an ICMP message with a source address of 0.0.0.0. This can happen +on a box routing IPv4 traffic via v6 nexthops, for instance. + +Since 0.0.0.0 is not generally routable on the internet, there's a good +chance that such ICMP messages will never make it back to the sender of the +original packet that the ICMP message was sent in response to. This, in +turn, can create connectivity and PMTUd problems for senders. Fortunately, +RFC7600 reserves a dummy address to be used as a source for ICMP +messages (192.0.0.8/32), so let's teach the kernel to substitute that +address as a last resort if the regular source address selection procedure +fails. + +Below is a quick example reproducing this issue with network namespaces: + +ip netns add ns0 +ip l add type veth peer netns ns0 +ip l set dev veth0 up +ip a add 10.0.0.1/24 dev veth0 +ip a add fc00:dead:cafe:42::1/64 dev veth0 +ip r add 10.1.0.0/24 via inet6 fc00:dead:cafe:42::2 +ip -n ns0 l set dev veth0 up +ip -n ns0 a add fc00:dead:cafe:42::2/64 dev veth0 +ip -n ns0 r add 10.0.0.0/24 via inet6 fc00:dead:cafe:42::1 +ip netns exec ns0 sysctl -w net.ipv4.icmp_ratelimit=0 +ip netns exec ns0 sysctl -w net.ipv4.ip_forward=1 +tcpdump -tpni veth0 -c 2 icmp & +ping -w 1 10.1.0.1 > /dev/null +tcpdump: verbose output suppressed, use -v[v]... for full protocol decode +listening on veth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes +IP 10.0.0.1 > 10.1.0.1: ICMP echo request, id 29, seq 1, length 64 +IP 0.0.0.0 > 10.0.0.1: ICMP net 10.1.0.1 unreachable, length 92 +2 packets captured +2 packets received by filter +0 packets dropped by kernel + +With this patch the above capture changes to: +IP 10.0.0.1 > 10.1.0.1: ICMP echo request, id 31127, seq 1, length 64 +IP 192.0.0.8 > 10.0.0.1: ICMP net 10.1.0.1 unreachable, length 92 + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-by: Juliusz Chroboczek +Reviewed-by: David Ahern +Signed-off-by: Toke Høiland-Jørgensen +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + include/uapi/linux/in.h | 3 +++ + net/ipv4/icmp.c | 7 +++++++ + 2 files changed, 10 insertions(+) + +diff --git a/include/uapi/linux/in.h b/include/uapi/linux/in.h +index 7d6687618d80..d1b327036ae4 100644 +--- a/include/uapi/linux/in.h ++++ b/include/uapi/linux/in.h +@@ -289,6 +289,9 @@ struct sockaddr_in { + /* Address indicating an error return. */ + #define INADDR_NONE ((unsigned long int) 0xffffffff) + ++/* Dummy address for src of ICMP replies if no real address is set (RFC7600). */ ++#define INADDR_DUMMY ((unsigned long int) 0xc0000008) ++ + /* Network number for local host loopback. */ + #define IN_LOOPBACKNET 127 + +diff --git a/net/ipv4/icmp.c b/net/ipv4/icmp.c +index ff3818333fcf..b71b836cc7d1 100644 +--- a/net/ipv4/icmp.c ++++ b/net/ipv4/icmp.c +@@ -759,6 +759,13 @@ void __icmp_send(struct sk_buff *skb_in, int type, int code, __be32 info, + icmp_param.data_len = room; + icmp_param.head_len = sizeof(struct icmphdr); + ++ /* if we don't have a source address at this point, fall back to the ++ * dummy address instead of sending out a packet with a source address ++ * of 0.0.0.0 ++ */ ++ if (!fl4.saddr) ++ fl4.saddr = htonl(INADDR_DUMMY); ++ + icmp_push_reply(&icmp_param, &fl4, &ipc, &rt); + ende: + ip_rt_put(rt); +-- +2.30.2 + diff --git a/queue-5.10/ipv4-fix-device-used-for-dst_alloc-with-local-routes.patch b/queue-5.10/ipv4-fix-device-used-for-dst_alloc-with-local-routes.patch new file mode 100644 index 00000000000..062463386a3 --- /dev/null +++ b/queue-5.10/ipv4-fix-device-used-for-dst_alloc-with-local-routes.patch @@ -0,0 +1,116 @@ +From 1e88172a6075c81e53d0465deebdbe938735bd7c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 12 Jun 2021 18:24:59 -0600 +Subject: ipv4: Fix device used for dst_alloc with local routes + +From: David Ahern + +[ Upstream commit b87b04f5019e821c8c6c7761f258402e43500a1f ] + +Oliver reported a use case where deleting a VRF device can hang +waiting for the refcnt to drop to 0. The root cause is that the dst +is allocated against the VRF device but cached on the loopback +device. + +The use case (added to the selftests) has an implicit VRF crossing +due to the ordering of the FIB rules (lookup local is before the +l3mdev rule, but the problem occurs even if the FIB rules are +re-ordered with local after l3mdev because the VRF table does not +have a default route to terminate the lookup). The end result is +is that the FIB lookup returns the loopback device as the nexthop, +but the ingress device is in a VRF. The mismatch causes the dst +alloc against the VRF device but then cached on the loopback. + +The fix is to bring the trick used for IPv6 (see ip6_rt_get_dev_rcu): +pick the dst alloc device based the fib lookup result but with checks +that the result has a nexthop device (e.g., not an unreachable or +prohibit entry). + +Fixes: f5a0aab84b74 ("net: ipv4: dst for local input routes should use l3mdev if relevant") +Reported-by: Oliver Herms +Signed-off-by: David Ahern +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv4/route.c | 15 +++++++++++++- + tools/testing/selftests/net/fib_tests.sh | 25 ++++++++++++++++++++++++ + 2 files changed, 39 insertions(+), 1 deletion(-) + +diff --git a/net/ipv4/route.c b/net/ipv4/route.c +index 798dc85bde5b..e968bb47d5bd 100644 +--- a/net/ipv4/route.c ++++ b/net/ipv4/route.c +@@ -2076,6 +2076,19 @@ martian_source: + return err; + } + ++/* get device for dst_alloc with local routes */ ++static struct net_device *ip_rt_get_dev(struct net *net, ++ const struct fib_result *res) ++{ ++ struct fib_nh_common *nhc = res->fi ? res->nhc : NULL; ++ struct net_device *dev = NULL; ++ ++ if (nhc) ++ dev = l3mdev_master_dev_rcu(nhc->nhc_dev); ++ ++ return dev ? : net->loopback_dev; ++} ++ + /* + * NOTE. We drop all the packets that has local source + * addresses, because every properly looped back packet +@@ -2232,7 +2245,7 @@ local_input: + } + } + +- rth = rt_dst_alloc(l3mdev_master_dev_rcu(dev) ? : net->loopback_dev, ++ rth = rt_dst_alloc(ip_rt_get_dev(net, res), + flags | RTCF_LOCAL, res->type, + IN_DEV_CONF_GET(in_dev, NOPOLICY), false); + if (!rth) +diff --git a/tools/testing/selftests/net/fib_tests.sh b/tools/testing/selftests/net/fib_tests.sh +index 2b5707738609..6fad54c7ecb4 100755 +--- a/tools/testing/selftests/net/fib_tests.sh ++++ b/tools/testing/selftests/net/fib_tests.sh +@@ -1384,12 +1384,37 @@ ipv4_rt_replace() + ipv4_rt_replace_mpath + } + ++# checks that cached input route on VRF port is deleted ++# when VRF is deleted ++ipv4_local_rt_cache() ++{ ++ run_cmd "ip addr add 10.0.0.1/32 dev lo" ++ run_cmd "ip netns add test-ns" ++ run_cmd "ip link add veth-outside type veth peer name veth-inside" ++ run_cmd "ip link add vrf-100 type vrf table 1100" ++ run_cmd "ip link set veth-outside master vrf-100" ++ run_cmd "ip link set veth-inside netns test-ns" ++ run_cmd "ip link set veth-outside up" ++ run_cmd "ip link set vrf-100 up" ++ run_cmd "ip route add 10.1.1.1/32 dev veth-outside table 1100" ++ run_cmd "ip netns exec test-ns ip link set veth-inside up" ++ run_cmd "ip netns exec test-ns ip addr add 10.1.1.1/32 dev veth-inside" ++ run_cmd "ip netns exec test-ns ip route add 10.0.0.1/32 dev veth-inside" ++ run_cmd "ip netns exec test-ns ip route add default via 10.0.0.1" ++ run_cmd "ip netns exec test-ns ping 10.0.0.1 -c 1 -i 1" ++ run_cmd "ip link delete vrf-100" ++ ++ # if we do not hang test is a success ++ log_test $? 0 "Cached route removed from VRF port device" ++} ++ + ipv4_route_test() + { + route_setup + + ipv4_rt_add + ipv4_rt_replace ++ ipv4_local_rt_cache + + route_cleanup + } +-- +2.30.2 + diff --git a/queue-5.10/lantiq-net-fix-duplicated-skb-in-rx-descriptor-ring.patch b/queue-5.10/lantiq-net-fix-duplicated-skb-in-rx-descriptor-ring.patch new file mode 100644 index 00000000000..7ff56bd7b3d --- /dev/null +++ b/queue-5.10/lantiq-net-fix-duplicated-skb-in-rx-descriptor-ring.patch @@ -0,0 +1,54 @@ +From 7ee73fe50f67ebe59ddc2b1efc002345e5a4274c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Jun 2021 22:42:57 +0200 +Subject: lantiq: net: fix duplicated skb in rx descriptor ring + +From: Aleksander Jan Bajkowski + +[ Upstream commit 7ea6cd16f1599c1eac6018751eadbc5fc736b99a ] + +The previous commit didn't fix the bug properly. By mistake, it replaces +the pointer of the next skb in the descriptor ring instead of the current +one. As a result, the two descriptors are assigned the same SKB. The error +is seen during the iperf test when skb_put tries to insert a second packet +and exceeds the available buffer. + +Fixes: c7718ee96dbc ("net: lantiq: fix memory corruption in RX ring ") +Signed-off-by: Aleksander Jan Bajkowski +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/lantiq_xrx200.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/lantiq_xrx200.c b/drivers/net/ethernet/lantiq_xrx200.c +index 3da494df72f3..072075bc60ee 100644 +--- a/drivers/net/ethernet/lantiq_xrx200.c ++++ b/drivers/net/ethernet/lantiq_xrx200.c +@@ -154,6 +154,7 @@ static int xrx200_close(struct net_device *net_dev) + + static int xrx200_alloc_skb(struct xrx200_chan *ch) + { ++ struct sk_buff *skb = ch->skb[ch->dma.desc]; + dma_addr_t mapping; + int ret = 0; + +@@ -168,6 +169,7 @@ static int xrx200_alloc_skb(struct xrx200_chan *ch) + XRX200_DMA_DATA_LEN, DMA_FROM_DEVICE); + if (unlikely(dma_mapping_error(ch->priv->dev, mapping))) { + dev_kfree_skb_any(ch->skb[ch->dma.desc]); ++ ch->skb[ch->dma.desc] = skb; + ret = -ENOMEM; + goto skip; + } +@@ -198,7 +200,6 @@ static int xrx200_hw_receive(struct xrx200_chan *ch) + ch->dma.desc %= LTQ_DESC_NUM; + + if (ret) { +- ch->skb[ch->dma.desc] = skb; + net_dev->stats.rx_dropped++; + netdev_err(net_dev, "failed to allocate new rx buffer\n"); + return ret; +-- +2.30.2 + diff --git a/queue-5.10/libbpf-fixes-incorrect-rx_ring_setup_done.patch b/queue-5.10/libbpf-fixes-incorrect-rx_ring_setup_done.patch new file mode 100644 index 00000000000..0e3ff8f6dcb --- /dev/null +++ b/queue-5.10/libbpf-fixes-incorrect-rx_ring_setup_done.patch @@ -0,0 +1,44 @@ +From f31a3139c15904416abc905fd982fda83adab1a0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Jun 2021 14:08:35 +0100 +Subject: libbpf: Fixes incorrect rx_ring_setup_done + +From: Kev Jackson + +[ Upstream commit 11fc79fc9f2e395aa39fa5baccae62767c5d8280 ] + +When calling xsk_socket__create_shared(), the logic at line 1097 marks a +boolean flag true within the xsk_umem structure to track setup progress +in order to support multiple calls to the function. However, instead of +marking umem->tx_ring_setup_done, the code incorrectly sets +umem->rx_ring_setup_done. This leads to improper behaviour when +creating and destroying xsk and umem structures. + +Multiple calls to this function is documented as supported. + +Fixes: ca7a83e2487a ("libbpf: Only create rx and tx XDP rings when necessary") +Signed-off-by: Kev Jackson +Signed-off-by: Andrii Nakryiko +Acked-by: Yonghong Song +Link: https://lore.kernel.org/bpf/YL4aU4f3Aaik7CN0@linux-dev +Signed-off-by: Sasha Levin +--- + tools/lib/bpf/xsk.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/lib/bpf/xsk.c b/tools/lib/bpf/xsk.c +index 7150e34cf2af..3028f932e10c 100644 +--- a/tools/lib/bpf/xsk.c ++++ b/tools/lib/bpf/xsk.c +@@ -779,7 +779,7 @@ int xsk_socket__create_shared(struct xsk_socket **xsk_ptr, + goto out_put_ctx; + } + if (xsk->fd == umem->fd) +- umem->rx_ring_setup_done = true; ++ umem->tx_ring_setup_done = true; + } + + err = xsk_get_mmap_offsets(xsk->fd, &off); +-- +2.30.2 + diff --git a/queue-5.10/mac80211-fix-skb-length-check-in-ieee80211_scan_rx.patch b/queue-5.10/mac80211-fix-skb-length-check-in-ieee80211_scan_rx.patch new file mode 100644 index 00000000000..d638681693d --- /dev/null +++ b/queue-5.10/mac80211-fix-skb-length-check-in-ieee80211_scan_rx.patch @@ -0,0 +1,61 @@ +From c42f9ee3fff2ec2378c32fe70cb11bc1158ebd05 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 May 2021 12:16:49 +0800 +Subject: mac80211: fix skb length check in ieee80211_scan_rx() + +From: Du Cheng + +[ Upstream commit e298aa358f0ca658406d524b6639fe389cb6e11e ] + +Replace hard-coded compile-time constants for header length check +with dynamic determination based on the frame type. Otherwise, we +hit a validation WARN_ON in cfg80211 later. + +Fixes: cd418ba63f0c ("mac80211: convert S1G beacon to scan results") +Reported-by: syzbot+405843667e93b9790fc1@syzkaller.appspotmail.com +Signed-off-by: Du Cheng +Link: https://lore.kernel.org/r/20210510041649.589754-1-ducheng2@gmail.com +[style fixes, reword commit message] +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/scan.c | 21 ++++++++++++++++----- + 1 file changed, 16 insertions(+), 5 deletions(-) + +diff --git a/net/mac80211/scan.c b/net/mac80211/scan.c +index d4cc9ac2d703..6b50cb5e0e3c 100644 +--- a/net/mac80211/scan.c ++++ b/net/mac80211/scan.c +@@ -251,13 +251,24 @@ void ieee80211_scan_rx(struct ieee80211_local *local, struct sk_buff *skb) + struct ieee80211_mgmt *mgmt = (void *)skb->data; + struct ieee80211_bss *bss; + struct ieee80211_channel *channel; ++ size_t min_hdr_len = offsetof(struct ieee80211_mgmt, ++ u.probe_resp.variable); ++ ++ if (!ieee80211_is_probe_resp(mgmt->frame_control) && ++ !ieee80211_is_beacon(mgmt->frame_control) && ++ !ieee80211_is_s1g_beacon(mgmt->frame_control)) ++ return; + + if (ieee80211_is_s1g_beacon(mgmt->frame_control)) { +- if (skb->len < 15) +- return; +- } else if (skb->len < 24 || +- (!ieee80211_is_probe_resp(mgmt->frame_control) && +- !ieee80211_is_beacon(mgmt->frame_control))) ++ if (ieee80211_is_s1g_short_beacon(mgmt->frame_control)) ++ min_hdr_len = offsetof(struct ieee80211_ext, ++ u.s1g_short_beacon.variable); ++ else ++ min_hdr_len = offsetof(struct ieee80211_ext, ++ u.s1g_beacon); ++ } ++ ++ if (skb->len < min_hdr_len) + return; + + sdata1 = rcu_dereference(local->scan_sdata); +-- +2.30.2 + diff --git a/queue-5.10/mlxsw-core-set-thermal-zone-polling-delay-argument-t.patch b/queue-5.10/mlxsw-core-set-thermal-zone-polling-delay-argument-t.patch new file mode 100644 index 00000000000..0888a5b4886 --- /dev/null +++ b/queue-5.10/mlxsw-core-set-thermal-zone-polling-delay-argument-t.patch @@ -0,0 +1,60 @@ +From eb1c6593b484af85a3092955682d1bffb2b4c10a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 6 Jun 2021 11:24:32 +0300 +Subject: mlxsw: core: Set thermal zone polling delay argument to real value at + init + +From: Mykola Kostenok + +[ Upstream commit 2fd8d84ce3095e8a7b5fe96532c91b1b9e07339c ] + +Thermal polling delay argument for modules and gearboxes thermal zones +used to be initialized with zero value, while actual delay was used to +be set by mlxsw_thermal_set_mode() by thermal operation callback +set_mode(). After operations set_mode()/get_mode() have been removed by +cited commits, modules and gearboxes thermal zones always have polling +time set to zero and do not perform temperature monitoring. + +Set non-zero "polling_delay" in thermal_zone_device_register() routine, +thus, the relevant thermal zones will perform thermal monitoring. + +Cc: Andrzej Pietrasiewicz +Fixes: 5d7bd8aa7c35 ("thermal: Simplify or eliminate unnecessary set_mode() methods") +Fixes: 1ee14820fd8e ("thermal: remove get_mode() operation of drivers") +Signed-off-by: Mykola Kostenok +Acked-by: Vadim Pasternak +Reviewed-by: Jiri Pirko +Signed-off-by: Ido Schimmel +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlxsw/core_thermal.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlxsw/core_thermal.c b/drivers/net/ethernet/mellanox/mlxsw/core_thermal.c +index bf85ce9835d7..42e4437ac3c1 100644 +--- a/drivers/net/ethernet/mellanox/mlxsw/core_thermal.c ++++ b/drivers/net/ethernet/mellanox/mlxsw/core_thermal.c +@@ -708,7 +708,8 @@ mlxsw_thermal_module_tz_init(struct mlxsw_thermal_module *module_tz) + MLXSW_THERMAL_TRIP_MASK, + module_tz, + &mlxsw_thermal_module_ops, +- NULL, 0, 0); ++ NULL, 0, ++ module_tz->parent->polling_delay); + if (IS_ERR(module_tz->tzdev)) { + err = PTR_ERR(module_tz->tzdev); + return err; +@@ -830,7 +831,8 @@ mlxsw_thermal_gearbox_tz_init(struct mlxsw_thermal_module *gearbox_tz) + MLXSW_THERMAL_TRIP_MASK, + gearbox_tz, + &mlxsw_thermal_gearbox_ops, +- NULL, 0, 0); ++ NULL, 0, ++ gearbox_tz->parent->polling_delay); + if (IS_ERR(gearbox_tz->tzdev)) + return PTR_ERR(gearbox_tz->tzdev); + +-- +2.30.2 + diff --git a/queue-5.10/mlxsw-reg-spectrum-3-enforce-lowest-max-shaper-burst.patch b/queue-5.10/mlxsw-reg-spectrum-3-enforce-lowest-max-shaper-burst.patch new file mode 100644 index 00000000000..381a55bae6b --- /dev/null +++ b/queue-5.10/mlxsw-reg-spectrum-3-enforce-lowest-max-shaper-burst.patch @@ -0,0 +1,47 @@ +From 69bfc85f8af76b1071285cda0dca9897f0c77ee7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 6 Jun 2021 11:24:30 +0300 +Subject: mlxsw: reg: Spectrum-3: Enforce lowest max-shaper burst size of 11 + +From: Petr Machata + +[ Upstream commit 306b9228c097b4101c150ccd262372ded8348644 ] + +A max-shaper is the HW component responsible for delaying egress traffic +above a configured transmission rate. Burst size is the amount of traffic +that is allowed to pass without accounting. The burst size value needs to +be such that it can be expressed as 2^BS * 512 bits, where BS lies in a +certain ASIC-dependent range. mlxsw enforces that this holds before +attempting to configure the shaper. + +The assumption for Spectrum-3 was that the lower limit of BS would be 5, +like for Spectrum-1. But as of now, the limit is still 11. Therefore fix +the driver accordingly, so that incorrect values are rejected early with a +proper message. + +Fixes: 23effa2479ba ("mlxsw: reg: Add max_shaper_bs to QoS ETS Element Configuration") +Reported-by: Maksym Yaremchuk +Signed-off-by: Petr Machata +Signed-off-by: Ido Schimmel +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlxsw/reg.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mellanox/mlxsw/reg.h b/drivers/net/ethernet/mellanox/mlxsw/reg.h +index 3c3069afc0a3..c670bf3464c2 100644 +--- a/drivers/net/ethernet/mellanox/mlxsw/reg.h ++++ b/drivers/net/ethernet/mellanox/mlxsw/reg.h +@@ -3641,7 +3641,7 @@ MLXSW_ITEM32(reg, qeec, max_shaper_bs, 0x1C, 0, 6); + #define MLXSW_REG_QEEC_HIGHEST_SHAPER_BS 25 + #define MLXSW_REG_QEEC_LOWEST_SHAPER_BS_SP1 5 + #define MLXSW_REG_QEEC_LOWEST_SHAPER_BS_SP2 11 +-#define MLXSW_REG_QEEC_LOWEST_SHAPER_BS_SP3 5 ++#define MLXSW_REG_QEEC_LOWEST_SHAPER_BS_SP3 11 + + static inline void mlxsw_reg_qeec_pack(char *payload, u8 local_port, + enum mlxsw_reg_qeec_hr hr, u8 index, +-- +2.30.2 + diff --git a/queue-5.10/mptcp-do-not-warn-on-bad-input-from-the-network.patch b/queue-5.10/mptcp-do-not-warn-on-bad-input-from-the-network.patch new file mode 100644 index 00000000000..49ad3a0a845 --- /dev/null +++ b/queue-5.10/mptcp-do-not-warn-on-bad-input-from-the-network.patch @@ -0,0 +1,63 @@ +From 27e9e5621635c3c7048dd81ce0b16c31868efb78 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Jun 2021 15:59:42 -0700 +Subject: mptcp: do not warn on bad input from the network + +From: Paolo Abeni + +[ Upstream commit 61e710227e97172355d5f150d5c78c64175d9fb2 ] + +warn_bad_map() produces a kernel WARN on bad input coming +from the network. Use pr_debug() to avoid spamming the system +log. + +Additionally, when the right bound check fails, warn_bad_map() reports +the wrong ssn value, let's fix it. + +Fixes: 648ef4b88673 ("mptcp: Implement MPTCP receive path") +Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/107 +Signed-off-by: Paolo Abeni +Signed-off-by: Mat Martineau +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/mptcp/subflow.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/net/mptcp/subflow.c b/net/mptcp/subflow.c +index 96b6aca9d0ae..851fb3d8c791 100644 +--- a/net/mptcp/subflow.c ++++ b/net/mptcp/subflow.c +@@ -655,10 +655,10 @@ static u64 expand_seq(u64 old_seq, u16 old_data_len, u64 seq) + return seq | ((old_seq + old_data_len + 1) & GENMASK_ULL(63, 32)); + } + +-static void warn_bad_map(struct mptcp_subflow_context *subflow, u32 ssn) ++static void dbg_bad_map(struct mptcp_subflow_context *subflow, u32 ssn) + { +- WARN_ONCE(1, "Bad mapping: ssn=%d map_seq=%d map_data_len=%d", +- ssn, subflow->map_subflow_seq, subflow->map_data_len); ++ pr_debug("Bad mapping: ssn=%d map_seq=%d map_data_len=%d", ++ ssn, subflow->map_subflow_seq, subflow->map_data_len); + } + + static bool skb_is_fully_mapped(struct sock *ssk, struct sk_buff *skb) +@@ -683,13 +683,13 @@ static bool validate_mapping(struct sock *ssk, struct sk_buff *skb) + /* Mapping covers data later in the subflow stream, + * currently unsupported. + */ +- warn_bad_map(subflow, ssn); ++ dbg_bad_map(subflow, ssn); + return false; + } + if (unlikely(!before(ssn, subflow->map_subflow_seq + + subflow->map_data_len))) { + /* Mapping does covers past subflow data, invalid */ +- warn_bad_map(subflow, ssn + skb->len); ++ dbg_bad_map(subflow, ssn); + return false; + } + return true; +-- +2.30.2 + diff --git a/queue-5.10/mptcp-fix-out-of-bounds-when-parsing-tcp-options.patch b/queue-5.10/mptcp-fix-out-of-bounds-when-parsing-tcp-options.patch new file mode 100644 index 00000000000..b479eaddf89 --- /dev/null +++ b/queue-5.10/mptcp-fix-out-of-bounds-when-parsing-tcp-options.patch @@ -0,0 +1,44 @@ +From c85864cb65b0d9cb149cf1402ad233b004167206 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Jun 2021 19:40:30 +0300 +Subject: mptcp: Fix out of bounds when parsing TCP options + +From: Maxim Mikityanskiy + +[ Upstream commit 07718be265680dcf496347d475ce1a5442f55ad7 ] + +The TCP option parser in mptcp (mptcp_get_options) could read one byte +out of bounds. When the length is 1, the execution flow gets into the +loop, reads one byte of the opcode, and if the opcode is neither +TCPOPT_EOL nor TCPOPT_NOP, it reads one more byte, which exceeds the +length of 1. + +This fix is inspired by commit 9609dad263f8 ("ipv4: tcp_input: fix stack +out of bounds when parsing TCP options."). + +Cc: Young Xiao <92siuyang@gmail.com> +Fixes: cec37a6e41aa ("mptcp: Handle MP_CAPABLE options for outgoing connections") +Signed-off-by: Maxim Mikityanskiy +Reviewed-by: Mat Martineau +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/mptcp/options.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/mptcp/options.c b/net/mptcp/options.c +index 91034a221983..ac0233c9cd34 100644 +--- a/net/mptcp/options.c ++++ b/net/mptcp/options.c +@@ -314,6 +314,8 @@ void mptcp_get_options(const struct sk_buff *skb, + length--; + continue; + default: ++ if (length < 2) ++ return; + opsize = *ptr++; + if (opsize < 2) /* "silly options" */ + return; +-- +2.30.2 + diff --git a/queue-5.10/mptcp-try-harder-to-borrow-memory-from-subflow-under.patch b/queue-5.10/mptcp-try-harder-to-borrow-memory-from-subflow-under.patch new file mode 100644 index 00000000000..eb1678c71f3 --- /dev/null +++ b/queue-5.10/mptcp-try-harder-to-borrow-memory-from-subflow-under.patch @@ -0,0 +1,54 @@ +From f212a99a17d20705a34110651298492fa9726e9d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Jun 2021 15:59:40 -0700 +Subject: mptcp: try harder to borrow memory from subflow under pressure + +From: Paolo Abeni + +[ Upstream commit 72f961320d5d15bfcb26dbe3edaa3f7d25fd2c8a ] + +If the host is under sever memory pressure, and RX forward +memory allocation for the msk fails, we try to borrow the +required memory from the ingress subflow. + +The current attempt is a bit flaky: if skb->truesize is less +than SK_MEM_QUANTUM, the ssk will not release any memory, and +the next schedule will fail again. + +Instead, directly move the required amount of pages from the +ssk to the msk, if available + +Fixes: 9c3f94e1681b ("mptcp: add missing memory scheduling in the rx path") +Signed-off-by: Paolo Abeni +Signed-off-by: Mat Martineau +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/mptcp/protocol.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/net/mptcp/protocol.c b/net/mptcp/protocol.c +index 7832b20baac2..3ca8b359e399 100644 +--- a/net/mptcp/protocol.c ++++ b/net/mptcp/protocol.c +@@ -276,11 +276,13 @@ static bool __mptcp_move_skb(struct mptcp_sock *msk, struct sock *ssk, + + /* try to fetch required memory from subflow */ + if (!sk_rmem_schedule(sk, skb, skb->truesize)) { +- if (ssk->sk_forward_alloc < skb->truesize) +- goto drop; +- __sk_mem_reclaim(ssk, skb->truesize); +- if (!sk_rmem_schedule(sk, skb, skb->truesize)) ++ int amount = sk_mem_pages(skb->truesize) << SK_MEM_QUANTUM_SHIFT; ++ ++ if (ssk->sk_forward_alloc < amount) + goto drop; ++ ++ ssk->sk_forward_alloc -= amount; ++ sk->sk_forward_alloc += amount; + } + + /* the skb map_seq accounts for the skb offset: +-- +2.30.2 + diff --git a/queue-5.10/net-af_unix-fix-a-data-race-in-unix_dgram_sendmsg-un.patch b/queue-5.10/net-af_unix-fix-a-data-race-in-unix_dgram_sendmsg-un.patch new file mode 100644 index 00000000000..d13759af017 --- /dev/null +++ b/queue-5.10/net-af_unix-fix-a-data-race-in-unix_dgram_sendmsg-un.patch @@ -0,0 +1,96 @@ +From df578592c36581bbc2539f7e02f1c84fe3450048 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Jun 2021 07:47:15 -0700 +Subject: net/af_unix: fix a data-race in unix_dgram_sendmsg / + unix_release_sock + +From: Eric Dumazet + +[ Upstream commit a494bd642d9120648b06bb7d28ce6d05f55a7819 ] + +While unix_may_send(sk, osk) is called while osk is locked, it appears +unix_release_sock() can overwrite unix_peer() after this lock has been +released, making KCSAN unhappy. + +Changing unix_release_sock() to access/change unix_peer() +before lock is released should fix this issue. + +BUG: KCSAN: data-race in unix_dgram_sendmsg / unix_release_sock + +write to 0xffff88810465a338 of 8 bytes by task 20852 on cpu 1: + unix_release_sock+0x4ed/0x6e0 net/unix/af_unix.c:558 + unix_release+0x2f/0x50 net/unix/af_unix.c:859 + __sock_release net/socket.c:599 [inline] + sock_close+0x6c/0x150 net/socket.c:1258 + __fput+0x25b/0x4e0 fs/file_table.c:280 + ____fput+0x11/0x20 fs/file_table.c:313 + task_work_run+0xae/0x130 kernel/task_work.c:164 + tracehook_notify_resume include/linux/tracehook.h:189 [inline] + exit_to_user_mode_loop kernel/entry/common.c:175 [inline] + exit_to_user_mode_prepare+0x156/0x190 kernel/entry/common.c:209 + __syscall_exit_to_user_mode_work kernel/entry/common.c:291 [inline] + syscall_exit_to_user_mode+0x20/0x40 kernel/entry/common.c:302 + do_syscall_64+0x56/0x90 arch/x86/entry/common.c:57 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +read to 0xffff88810465a338 of 8 bytes by task 20888 on cpu 0: + unix_may_send net/unix/af_unix.c:189 [inline] + unix_dgram_sendmsg+0x923/0x1610 net/unix/af_unix.c:1712 + sock_sendmsg_nosec net/socket.c:654 [inline] + sock_sendmsg net/socket.c:674 [inline] + ____sys_sendmsg+0x360/0x4d0 net/socket.c:2350 + ___sys_sendmsg net/socket.c:2404 [inline] + __sys_sendmmsg+0x315/0x4b0 net/socket.c:2490 + __do_sys_sendmmsg net/socket.c:2519 [inline] + __se_sys_sendmmsg net/socket.c:2516 [inline] + __x64_sys_sendmmsg+0x53/0x60 net/socket.c:2516 + do_syscall_64+0x4a/0x90 arch/x86/entry/common.c:47 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +value changed: 0xffff888167905400 -> 0x0000000000000000 + +Reported by Kernel Concurrency Sanitizer on: +CPU: 0 PID: 20888 Comm: syz-executor.0 Not tainted 5.13.0-rc5-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/unix/af_unix.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c +index 41c3303c3357..39be4b52329b 100644 +--- a/net/unix/af_unix.c ++++ b/net/unix/af_unix.c +@@ -535,12 +535,14 @@ static void unix_release_sock(struct sock *sk, int embrion) + u->path.mnt = NULL; + state = sk->sk_state; + sk->sk_state = TCP_CLOSE; ++ ++ skpair = unix_peer(sk); ++ unix_peer(sk) = NULL; ++ + unix_state_unlock(sk); + + wake_up_interruptible_all(&u->peer_wait); + +- skpair = unix_peer(sk); +- + if (skpair != NULL) { + if (sk->sk_type == SOCK_STREAM || sk->sk_type == SOCK_SEQPACKET) { + unix_state_lock(skpair); +@@ -555,7 +557,6 @@ static void unix_release_sock(struct sock *sk, int embrion) + + unix_dgram_peer_wake_disconnect(sk, skpair); + sock_put(skpair); /* It may now die */ +- unix_peer(sk) = NULL; + } + + /* Try to flush out this socket. Throw out buffers at least */ +-- +2.30.2 + diff --git a/queue-5.10/net-cdc_eem-fix-tx-fixup-skb-leak.patch b/queue-5.10/net-cdc_eem-fix-tx-fixup-skb-leak.patch new file mode 100644 index 00000000000..2414c7a0aea --- /dev/null +++ b/queue-5.10/net-cdc_eem-fix-tx-fixup-skb-leak.patch @@ -0,0 +1,44 @@ +From cdf3c3c8d68e281a64c230ac4c8af53f7e83e360 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Jun 2021 07:32:32 +0800 +Subject: net: cdc_eem: fix tx fixup skb leak + +From: Linyu Yuan + +[ Upstream commit c3b26fdf1b32f91c7a3bc743384b4a298ab53ad7 ] + +when usbnet transmit a skb, eem fixup it in eem_tx_fixup(), +if skb_copy_expand() failed, it return NULL, +usbnet_start_xmit() will have no chance to free original skb. + +fix it by free orginal skb in eem_tx_fixup() first, +then check skb clone status, if failed, return NULL to usbnet. + +Fixes: 9f722c0978b0 ("usbnet: CDC EEM support (v5)") +Signed-off-by: Linyu Yuan +Reviewed-by: Greg Kroah-Hartman +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/usb/cdc_eem.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/usb/cdc_eem.c b/drivers/net/usb/cdc_eem.c +index 0eeec80bec31..e4a570366646 100644 +--- a/drivers/net/usb/cdc_eem.c ++++ b/drivers/net/usb/cdc_eem.c +@@ -123,10 +123,10 @@ static struct sk_buff *eem_tx_fixup(struct usbnet *dev, struct sk_buff *skb, + } + + skb2 = skb_copy_expand(skb, EEM_HEAD, ETH_FCS_LEN + padlen, flags); ++ dev_kfree_skb_any(skb); + if (!skb2) + return NULL; + +- dev_kfree_skb_any(skb); + skb = skb2; + + done: +-- +2.30.2 + diff --git a/queue-5.10/net-cdc_ncm-switch-to-eth-d-interface-naming.patch b/queue-5.10/net-cdc_ncm-switch-to-eth-d-interface-naming.patch new file mode 100644 index 00000000000..b8ed86d5b0f --- /dev/null +++ b/queue-5.10/net-cdc_ncm-switch-to-eth-d-interface-naming.patch @@ -0,0 +1,77 @@ +From 3595faa64ab39696765973f7d4be245794f12b3a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Jun 2021 01:05:49 -0700 +Subject: net: cdc_ncm: switch to eth%d interface naming +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Maciej Żenczykowski + +[ Upstream commit c1a3d4067309451e68c33dbd356032549cc0bd8e ] + +This is meant to make the host side cdc_ncm interface consistently +named just like the older CDC protocols: cdc_ether & cdc_ecm +(and even rndis_host), which all use 'FLAG_ETHER | FLAG_POINTTOPOINT'. + +include/linux/usb/usbnet.h: + #define FLAG_ETHER 0x0020 /* maybe use "eth%d" names */ + #define FLAG_WLAN 0x0080 /* use "wlan%d" names */ + #define FLAG_WWAN 0x0400 /* use "wwan%d" names */ + #define FLAG_POINTTOPOINT 0x1000 /* possibly use "usb%d" names */ + +drivers/net/usb/usbnet.c @ line 1711: + strcpy (net->name, "usb%d"); + ... + // heuristic: "usb%d" for links we know are two-host, + // else "eth%d" when there's reasonable doubt. userspace + // can rename the link if it knows better. + if ((dev->driver_info->flags & FLAG_ETHER) != 0 && + ((dev->driver_info->flags & FLAG_POINTTOPOINT) == 0 || + (net->dev_addr [0] & 0x02) == 0)) + strcpy (net->name, "eth%d"); + /* WLAN devices should always be named "wlan%d" */ + if ((dev->driver_info->flags & FLAG_WLAN) != 0) + strcpy(net->name, "wlan%d"); + /* WWAN devices should always be named "wwan%d" */ + if ((dev->driver_info->flags & FLAG_WWAN) != 0) + strcpy(net->name, "wwan%d"); + +So by using ETHER | POINTTOPOINT the interface naming is +either usb%d or eth%d based on the global uniqueness of the +mac address of the device. + +Without this 2.5gbps ethernet dongles which all seem to use the cdc_ncm +driver end up being called usb%d instead of eth%d even though they're +definitely not two-host. (All 1gbps & 5gbps ethernet usb dongles I've +tested don't hit this problem due to use of different drivers, primarily +r8152 and aqc111) + +Fixes tag is based purely on git blame, and is really just here to make +sure this hits LTS branches newer than v4.5. + +Cc: Lorenzo Colitti +Fixes: 4d06dd537f95 ("cdc_ncm: do not call usbnet_link_change from cdc_ncm_bind") +Signed-off-by: Maciej Żenczykowski +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/usb/cdc_ncm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/usb/cdc_ncm.c b/drivers/net/usb/cdc_ncm.c +index 1d3bf810f2ca..04c4f1570bc8 100644 +--- a/drivers/net/usb/cdc_ncm.c ++++ b/drivers/net/usb/cdc_ncm.c +@@ -1900,7 +1900,7 @@ static void cdc_ncm_status(struct usbnet *dev, struct urb *urb) + static const struct driver_info cdc_ncm_info = { + .description = "CDC NCM", + .flags = FLAG_POINTTOPOINT | FLAG_NO_SETINT | FLAG_MULTI_PACKET +- | FLAG_LINK_INTR, ++ | FLAG_LINK_INTR | FLAG_ETHER, + .bind = cdc_ncm_bind, + .unbind = cdc_ncm_unbind, + .manage_power = usbnet_manage_power, +-- +2.30.2 + diff --git a/queue-5.10/net-dsa-felix-re-enable-tx-flow-control-in-ocelot_po.patch b/queue-5.10/net-dsa-felix-re-enable-tx-flow-control-in-ocelot_po.patch new file mode 100644 index 00000000000..5d413e7d4cd --- /dev/null +++ b/queue-5.10/net-dsa-felix-re-enable-tx-flow-control-in-ocelot_po.patch @@ -0,0 +1,54 @@ +From c19203e44c1c8d1e9bbf2f8a542fb0a92da2b595 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Jun 2021 14:15:35 +0300 +Subject: net: dsa: felix: re-enable TX flow control in ocelot_port_flush() + +From: Vladimir Oltean + +[ Upstream commit 1650bdb1c516c248fb06f6d076559ff6437a5853 ] + +Because flow control is set up statically in ocelot_init_port(), and not +in phylink_mac_link_up(), what happens is that after the blamed commit, +the flow control remains disabled after the port flushing procedure. + +Fixes: eb4733d7cffc ("net: dsa: felix: implement port flushing on .phylink_mac_link_down") +Signed-off-by: Vladimir Oltean +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mscc/ocelot.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/net/ethernet/mscc/ocelot.c b/drivers/net/ethernet/mscc/ocelot.c +index aa400b925b08..5bfc7acfd13a 100644 +--- a/drivers/net/ethernet/mscc/ocelot.c ++++ b/drivers/net/ethernet/mscc/ocelot.c +@@ -355,6 +355,7 @@ static u32 ocelot_read_eq_avail(struct ocelot *ocelot, int port) + + int ocelot_port_flush(struct ocelot *ocelot, int port) + { ++ unsigned int pause_ena; + int err, val; + + /* Disable dequeuing from the egress queues */ +@@ -363,6 +364,7 @@ int ocelot_port_flush(struct ocelot *ocelot, int port) + QSYS_PORT_MODE, port); + + /* Disable flow control */ ++ ocelot_fields_read(ocelot, port, SYS_PAUSE_CFG_PAUSE_ENA, &pause_ena); + ocelot_fields_write(ocelot, port, SYS_PAUSE_CFG_PAUSE_ENA, 0); + + /* Disable priority flow control */ +@@ -398,6 +400,9 @@ int ocelot_port_flush(struct ocelot *ocelot, int port) + /* Clear flushing again. */ + ocelot_rmw_gix(ocelot, 0, REW_PORT_CFG_FLUSH_ENA, REW_PORT_CFG, port); + ++ /* Re-enable flow control */ ++ ocelot_fields_write(ocelot, port, SYS_PAUSE_CFG_PAUSE_ENA, pause_ena); ++ + return err; + } + EXPORT_SYMBOL(ocelot_port_flush); +-- +2.30.2 + diff --git a/queue-5.10/net-ethernet-fix-potential-use-after-free-in-ec_bhf_.patch b/queue-5.10/net-ethernet-fix-potential-use-after-free-in-ec_bhf_.patch new file mode 100644 index 00000000000..72854ffb070 --- /dev/null +++ b/queue-5.10/net-ethernet-fix-potential-use-after-free-in-ec_bhf_.patch @@ -0,0 +1,56 @@ +From 691e4b572e8154b8d47b984886ba329c786f43b5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Jun 2021 16:49:02 +0300 +Subject: net: ethernet: fix potential use-after-free in ec_bhf_remove + +From: Pavel Skripkin + +[ Upstream commit 9cca0c2d70149160407bda9a9446ce0c29b6e6c6 ] + +static void ec_bhf_remove(struct pci_dev *dev) +{ +... + struct ec_bhf_priv *priv = netdev_priv(net_dev); + + unregister_netdev(net_dev); + free_netdev(net_dev); + + pci_iounmap(dev, priv->dma_io); + pci_iounmap(dev, priv->io); +... +} + +priv is netdev private data, but it is used +after free_netdev(). It can cause use-after-free when accessing priv +pointer. So, fix it by moving free_netdev() after pci_iounmap() +calls. + +Fixes: 6af55ff52b02 ("Driver for Beckhoff CX5020 EtherCAT master module.") +Signed-off-by: Pavel Skripkin +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/ec_bhf.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/ec_bhf.c b/drivers/net/ethernet/ec_bhf.c +index 46b0dbab8aad..7c992172933b 100644 +--- a/drivers/net/ethernet/ec_bhf.c ++++ b/drivers/net/ethernet/ec_bhf.c +@@ -576,10 +576,12 @@ static void ec_bhf_remove(struct pci_dev *dev) + struct ec_bhf_priv *priv = netdev_priv(net_dev); + + unregister_netdev(net_dev); +- free_netdev(net_dev); + + pci_iounmap(dev, priv->dma_io); + pci_iounmap(dev, priv->io); ++ ++ free_netdev(net_dev); ++ + pci_release_regions(dev); + pci_clear_master(dev); + pci_disable_device(dev); +-- +2.30.2 + diff --git a/queue-5.10/net-fec_ptp-fix-issue-caused-by-refactor-the-fec_dev.patch b/queue-5.10/net-fec_ptp-fix-issue-caused-by-refactor-the-fec_dev.patch new file mode 100644 index 00000000000..d2ccb9d6d2f --- /dev/null +++ b/queue-5.10/net-fec_ptp-fix-issue-caused-by-refactor-the-fec_dev.patch @@ -0,0 +1,44 @@ +From d9292bc7f3cfa7cbf121a334304d1d7963920b8d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Jun 2021 17:14:26 +0800 +Subject: net: fec_ptp: fix issue caused by refactor the fec_devtype + +From: Joakim Zhang + +[ Upstream commit d23765646e71b43ed2b809930411ba5c0aadee7b ] + +Commit da722186f654 ("net: fec: set GPR bit on suspend by DT configuration.") +refactor the fec_devtype, need adjust ptp driver accordingly. + +Fixes: da722186f654 ("net: fec: set GPR bit on suspend by DT configuration.") +Signed-off-by: Joakim Zhang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/freescale/fec_ptp.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/freescale/fec_ptp.c b/drivers/net/ethernet/freescale/fec_ptp.c +index 1753807cbf97..ce8e5555f3e0 100644 +--- a/drivers/net/ethernet/freescale/fec_ptp.c ++++ b/drivers/net/ethernet/freescale/fec_ptp.c +@@ -215,15 +215,13 @@ static u64 fec_ptp_read(const struct cyclecounter *cc) + { + struct fec_enet_private *fep = + container_of(cc, struct fec_enet_private, cc); +- const struct platform_device_id *id_entry = +- platform_get_device_id(fep->pdev); + u32 tempval; + + tempval = readl(fep->hwp + FEC_ATIME_CTRL); + tempval |= FEC_T_CTRL_CAPTURE; + writel(tempval, fep->hwp + FEC_ATIME_CTRL); + +- if (id_entry->driver_data & FEC_QUIRK_BUG_CAPTURE) ++ if (fep->quirks & FEC_QUIRK_BUG_CAPTURE) + udelay(1); + + return readl(fep->hwp + FEC_ATIME); +-- +2.30.2 + diff --git a/queue-5.10/net-hamradio-fix-memory-leak-in-mkiss_close.patch b/queue-5.10/net-hamradio-fix-memory-leak-in-mkiss_close.patch new file mode 100644 index 00000000000..0cd49f90c97 --- /dev/null +++ b/queue-5.10/net-hamradio-fix-memory-leak-in-mkiss_close.patch @@ -0,0 +1,112 @@ +From fdbddf1bd88357b1c6cdd295436aa34d893d89da Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Jun 2021 22:09:06 +0300 +Subject: net: hamradio: fix memory leak in mkiss_close + +From: Pavel Skripkin + +[ Upstream commit 7edcc682301492380fbdd604b4516af5ae667a13 ] + +My local syzbot instance hit memory leak in +mkiss_open()[1]. The problem was in missing +free_netdev() in mkiss_close(). + +In mkiss_open() netdevice is allocated and then +registered, but in mkiss_close() netdevice was +only unregistered, but not freed. + +Fail log: + +BUG: memory leak +unreferenced object 0xffff8880281ba000 (size 4096): + comm "syz-executor.1", pid 11443, jiffies 4295046091 (age 17.660s) + hex dump (first 32 bytes): + 61 78 30 00 00 00 00 00 00 00 00 00 00 00 00 00 ax0............. + 00 27 fa 2a 80 88 ff ff 00 00 00 00 00 00 00 00 .'.*............ + backtrace: + [] kvmalloc_node+0x61/0xf0 + [] alloc_netdev_mqs+0x98/0xe80 + [] mkiss_open+0xb2/0x6f0 [1] + [] tty_ldisc_open+0x9b/0x110 + [] tty_set_ldisc+0x2e8/0x670 + [] tty_ioctl+0xda3/0x1440 + [] __x64_sys_ioctl+0x193/0x200 + [] do_syscall_64+0x3a/0xb0 + [] entry_SYSCALL_64_after_hwframe+0x44/0xae + +BUG: memory leak +unreferenced object 0xffff8880141a9a00 (size 96): + comm "syz-executor.1", pid 11443, jiffies 4295046091 (age 17.660s) + hex dump (first 32 bytes): + e8 a2 1b 28 80 88 ff ff e8 a2 1b 28 80 88 ff ff ...(.......(.... + 98 92 9c aa b0 40 02 00 00 00 00 00 00 00 00 00 .....@.......... + backtrace: + [] __hw_addr_create_ex+0x5b/0x310 + [] __hw_addr_add_ex+0x1f8/0x2b0 + [] dev_addr_init+0x10b/0x1f0 + [] alloc_netdev_mqs+0x13b/0xe80 + [] mkiss_open+0xb2/0x6f0 [1] + [] tty_ldisc_open+0x9b/0x110 + [] tty_set_ldisc+0x2e8/0x670 + [] tty_ioctl+0xda3/0x1440 + [] __x64_sys_ioctl+0x193/0x200 + [] do_syscall_64+0x3a/0xb0 + [] entry_SYSCALL_64_after_hwframe+0x44/0xae + +BUG: memory leak +unreferenced object 0xffff8880219bfc00 (size 512): + comm "syz-executor.1", pid 11443, jiffies 4295046091 (age 17.660s) + hex dump (first 32 bytes): + 00 a0 1b 28 80 88 ff ff 80 8f b1 8d ff ff ff ff ...(............ + 80 8f b1 8d ff ff ff ff 00 00 00 00 00 00 00 00 ................ + backtrace: + [] kvmalloc_node+0x61/0xf0 + [] alloc_netdev_mqs+0x777/0xe80 + [] mkiss_open+0xb2/0x6f0 [1] + [] tty_ldisc_open+0x9b/0x110 + [] tty_set_ldisc+0x2e8/0x670 + [] tty_ioctl+0xda3/0x1440 + [] __x64_sys_ioctl+0x193/0x200 + [] do_syscall_64+0x3a/0xb0 + [] entry_SYSCALL_64_after_hwframe+0x44/0xae + +BUG: memory leak +unreferenced object 0xffff888029b2b200 (size 256): + comm "syz-executor.1", pid 11443, jiffies 4295046091 (age 17.660s) + hex dump (first 32 bytes): + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + backtrace: + [] kvmalloc_node+0x61/0xf0 + [] alloc_netdev_mqs+0x912/0xe80 + [] mkiss_open+0xb2/0x6f0 [1] + [] tty_ldisc_open+0x9b/0x110 + [] tty_set_ldisc+0x2e8/0x670 + [] tty_ioctl+0xda3/0x1440 + [] __x64_sys_ioctl+0x193/0x200 + [] do_syscall_64+0x3a/0xb0 + [] entry_SYSCALL_64_after_hwframe+0x44/0xae + +Fixes: 815f62bf7427 ("[PATCH] SMP rewrite of mkiss") +Signed-off-by: Pavel Skripkin +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/hamradio/mkiss.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/hamradio/mkiss.c b/drivers/net/hamradio/mkiss.c +index 17be2bb2985c..920e9f888cc3 100644 +--- a/drivers/net/hamradio/mkiss.c ++++ b/drivers/net/hamradio/mkiss.c +@@ -799,6 +799,7 @@ static void mkiss_close(struct tty_struct *tty) + ax->tty = NULL; + + unregister_netdev(ax->dev); ++ free_netdev(ax->dev); + } + + /* Perform I/O control on an active ax25 channel. */ +-- +2.30.2 + diff --git a/queue-5.10/net-ipv4-fix-memory-leak-in-ip_mc_add1_src.patch b/queue-5.10/net-ipv4-fix-memory-leak-in-ip_mc_add1_src.patch new file mode 100644 index 00000000000..2ff08858f8f --- /dev/null +++ b/queue-5.10/net-ipv4-fix-memory-leak-in-ip_mc_add1_src.patch @@ -0,0 +1,86 @@ +From 636ae3a4faf7213d146ed13c2d4c5d75279cb3f2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Jun 2021 17:59:25 +0800 +Subject: net: ipv4: fix memory leak in ip_mc_add1_src + +From: Chengyang Fan + +[ Upstream commit d8e2973029b8b2ce477b564824431f3385c77083 ] + +BUG: memory leak +unreferenced object 0xffff888101bc4c00 (size 32): + comm "syz-executor527", pid 360, jiffies 4294807421 (age 19.329s) + hex dump (first 32 bytes): + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + 01 00 00 00 00 00 00 00 ac 14 14 bb 00 00 02 00 ................ + backtrace: + [<00000000f17c5244>] kmalloc include/linux/slab.h:558 [inline] + [<00000000f17c5244>] kzalloc include/linux/slab.h:688 [inline] + [<00000000f17c5244>] ip_mc_add1_src net/ipv4/igmp.c:1971 [inline] + [<00000000f17c5244>] ip_mc_add_src+0x95f/0xdb0 net/ipv4/igmp.c:2095 + [<000000001cb99709>] ip_mc_source+0x84c/0xea0 net/ipv4/igmp.c:2416 + [<0000000052cf19ed>] do_ip_setsockopt net/ipv4/ip_sockglue.c:1294 [inline] + [<0000000052cf19ed>] ip_setsockopt+0x114b/0x30c0 net/ipv4/ip_sockglue.c:1423 + [<00000000477edfbc>] raw_setsockopt+0x13d/0x170 net/ipv4/raw.c:857 + [<00000000e75ca9bb>] __sys_setsockopt+0x158/0x270 net/socket.c:2117 + [<00000000bdb993a8>] __do_sys_setsockopt net/socket.c:2128 [inline] + [<00000000bdb993a8>] __se_sys_setsockopt net/socket.c:2125 [inline] + [<00000000bdb993a8>] __x64_sys_setsockopt+0xba/0x150 net/socket.c:2125 + [<000000006a1ffdbd>] do_syscall_64+0x40/0x80 arch/x86/entry/common.c:47 + [<00000000b11467c4>] entry_SYSCALL_64_after_hwframe+0x44/0xae + +In commit 24803f38a5c0 ("igmp: do not remove igmp souce list info when set +link down"), the ip_mc_clear_src() in ip_mc_destroy_dev() was removed, +because it was also called in igmpv3_clear_delrec(). + +Rough callgraph: + +inetdev_destroy +-> ip_mc_destroy_dev + -> igmpv3_clear_delrec + -> ip_mc_clear_src +-> RCU_INIT_POINTER(dev->ip_ptr, NULL) + +However, ip_mc_clear_src() called in igmpv3_clear_delrec() doesn't +release in_dev->mc_list->sources. And RCU_INIT_POINTER() assigns the +NULL to dev->ip_ptr. As a result, in_dev cannot be obtained through +inetdev_by_index() and then in_dev->mc_list->sources cannot be released +by ip_mc_del1_src() in the sock_close. Rough call sequence goes like: + +sock_close +-> __sock_release + -> inet_release + -> ip_mc_drop_socket + -> inetdev_by_index + -> ip_mc_leave_src + -> ip_mc_del_src + -> ip_mc_del1_src + +So we still need to call ip_mc_clear_src() in ip_mc_destroy_dev() to free +in_dev->mc_list->sources. + +Fixes: 24803f38a5c0 ("igmp: do not remove igmp souce list info ...") +Reported-by: Hulk Robot +Signed-off-by: Chengyang Fan +Acked-by: Hangbin Liu +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv4/igmp.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/ipv4/igmp.c b/net/ipv4/igmp.c +index 7b272bbed2b4..6b3c558a4f23 100644 +--- a/net/ipv4/igmp.c ++++ b/net/ipv4/igmp.c +@@ -1801,6 +1801,7 @@ void ip_mc_destroy_dev(struct in_device *in_dev) + while ((i = rtnl_dereference(in_dev->mc_list)) != NULL) { + in_dev->mc_list = i->next_rcu; + in_dev->mc_count--; ++ ip_mc_clear_src(i); + ip_ma_put(i); + } + } +-- +2.30.2 + diff --git a/queue-5.10/net-ipv4-fix-memory-leak-in-netlbl_cipsov4_add_std.patch b/queue-5.10/net-ipv4-fix-memory-leak-in-netlbl_cipsov4_add_std.patch new file mode 100644 index 00000000000..5b3a011b57b --- /dev/null +++ b/queue-5.10/net-ipv4-fix-memory-leak-in-netlbl_cipsov4_add_std.patch @@ -0,0 +1,66 @@ +From 9c8652ce1fda6fd1192dec3bb7d16563b1b1b943 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Jun 2021 09:51:58 +0800 +Subject: net: ipv4: fix memory leak in netlbl_cipsov4_add_std + +From: Nanyong Sun + +[ Upstream commit d612c3f3fae221e7ea736d196581c2217304bbbc ] + +Reported by syzkaller: +BUG: memory leak +unreferenced object 0xffff888105df7000 (size 64): +comm "syz-executor842", pid 360, jiffies 4294824824 (age 22.546s) +hex dump (first 32 bytes): +00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ +00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ +backtrace: +[<00000000e67ed558>] kmalloc include/linux/slab.h:590 [inline] +[<00000000e67ed558>] kzalloc include/linux/slab.h:720 [inline] +[<00000000e67ed558>] netlbl_cipsov4_add_std net/netlabel/netlabel_cipso_v4.c:145 [inline] +[<00000000e67ed558>] netlbl_cipsov4_add+0x390/0x2340 net/netlabel/netlabel_cipso_v4.c:416 +[<0000000006040154>] genl_family_rcv_msg_doit.isra.0+0x20e/0x320 net/netlink/genetlink.c:739 +[<00000000204d7a1c>] genl_family_rcv_msg net/netlink/genetlink.c:783 [inline] +[<00000000204d7a1c>] genl_rcv_msg+0x2bf/0x4f0 net/netlink/genetlink.c:800 +[<00000000c0d6a995>] netlink_rcv_skb+0x134/0x3d0 net/netlink/af_netlink.c:2504 +[<00000000d78b9d2c>] genl_rcv+0x24/0x40 net/netlink/genetlink.c:811 +[<000000009733081b>] netlink_unicast_kernel net/netlink/af_netlink.c:1314 [inline] +[<000000009733081b>] netlink_unicast+0x4a0/0x6a0 net/netlink/af_netlink.c:1340 +[<00000000d5fd43b8>] netlink_sendmsg+0x789/0xc70 net/netlink/af_netlink.c:1929 +[<000000000a2d1e40>] sock_sendmsg_nosec net/socket.c:654 [inline] +[<000000000a2d1e40>] sock_sendmsg+0x139/0x170 net/socket.c:674 +[<00000000321d1969>] ____sys_sendmsg+0x658/0x7d0 net/socket.c:2350 +[<00000000964e16bc>] ___sys_sendmsg+0xf8/0x170 net/socket.c:2404 +[<000000001615e288>] __sys_sendmsg+0xd3/0x190 net/socket.c:2433 +[<000000004ee8b6a5>] do_syscall_64+0x37/0x90 arch/x86/entry/common.c:47 +[<00000000171c7cee>] entry_SYSCALL_64_after_hwframe+0x44/0xae + +The memory of doi_def->map.std pointing is allocated in +netlbl_cipsov4_add_std, but no place has freed it. It should be +freed in cipso_v4_doi_free which frees the cipso DOI resource. + +Fixes: 96cb8e3313c7a ("[NetLabel]: CIPSOv4 and Unlabeled packet integration") +Reported-by: Hulk Robot +Signed-off-by: Nanyong Sun +Acked-by: Paul Moore +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv4/cipso_ipv4.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/ipv4/cipso_ipv4.c b/net/ipv4/cipso_ipv4.c +index be09c7669a79..ca217a6f488f 100644 +--- a/net/ipv4/cipso_ipv4.c ++++ b/net/ipv4/cipso_ipv4.c +@@ -472,6 +472,7 @@ void cipso_v4_doi_free(struct cipso_v4_doi *doi_def) + kfree(doi_def->map.std->lvl.local); + kfree(doi_def->map.std->cat.cipso); + kfree(doi_def->map.std->cat.local); ++ kfree(doi_def->map.std); + break; + } + kfree(doi_def); +-- +2.30.2 + diff --git a/queue-5.10/net-lantiq-disable-interrupt-before-sheduling-napi.patch b/queue-5.10/net-lantiq-disable-interrupt-before-sheduling-napi.patch new file mode 100644 index 00000000000..583c8075be8 --- /dev/null +++ b/queue-5.10/net-lantiq-disable-interrupt-before-sheduling-napi.patch @@ -0,0 +1,45 @@ +From a039315ef329f6a566463727da5fa6aab90ca4f1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Jun 2021 23:21:07 +0200 +Subject: net: lantiq: disable interrupt before sheduling NAPI + +From: Aleksander Jan Bajkowski + +[ Upstream commit f2386cf7c5f4ff5d7b584f5d92014edd7df6c676 ] + +This patch fixes TX hangs with threaded NAPI enabled. The scheduled +NAPI seems to be executed in parallel with the interrupt on second +thread. Sometimes it happens that ltq_dma_disable_irq() is executed +after xrx200_tx_housekeeping(). The symptom is that TX interrupts +are disabled in the DMA controller. As a result, the TX hangs after +a few seconds of the iperf test. Scheduling NAPI after disabling +interrupts fixes this issue. + +Tested on Lantiq xRX200 (BT Home Hub 5A). + +Fixes: 9423361da523 ("net: lantiq: Disable IRQs only if NAPI gets scheduled ") +Signed-off-by: Aleksander Jan Bajkowski +Acked-by: Hauke Mehrtens +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/lantiq_xrx200.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/lantiq_xrx200.c b/drivers/net/ethernet/lantiq_xrx200.c +index 135ba5b6ae98..3da494df72f3 100644 +--- a/drivers/net/ethernet/lantiq_xrx200.c ++++ b/drivers/net/ethernet/lantiq_xrx200.c +@@ -352,8 +352,8 @@ static irqreturn_t xrx200_dma_irq(int irq, void *ptr) + struct xrx200_chan *ch = ptr; + + if (napi_schedule_prep(&ch->napi)) { +- __napi_schedule(&ch->napi); + ltq_dma_disable_irq(&ch->dma); ++ __napi_schedule(&ch->napi); + } + + ltq_dma_ack_irq(&ch->dma); +-- +2.30.2 + diff --git a/queue-5.10/net-make-get_net_ns-return-error-if-net_ns-is-disabl.patch b/queue-5.10/net-make-get_net_ns-return-error-if-net_ns-is-disabl.patch new file mode 100644 index 00000000000..96fefbd2f66 --- /dev/null +++ b/queue-5.10/net-make-get_net_ns-return-error-if-net_ns-is-disabl.patch @@ -0,0 +1,131 @@ +From e5cf5ff0a6fbdd224f2c291cfe5ab4af80f94161 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Jun 2021 22:29:59 +0800 +Subject: net: make get_net_ns return error if NET_NS is disabled + +From: Changbin Du + +[ Upstream commit ea6932d70e223e02fea3ae20a4feff05d7c1ea9a ] + +There is a panic in socket ioctl cmd SIOCGSKNS when NET_NS is not enabled. +The reason is that nsfs tries to access ns->ops but the proc_ns_operations +is not implemented in this case. + +[7.670023] Unable to handle kernel NULL pointer dereference at virtual address 00000010 +[7.670268] pgd = 32b54000 +[7.670544] [00000010] *pgd=00000000 +[7.671861] Internal error: Oops: 5 [#1] SMP ARM +[7.672315] Modules linked in: +[7.672918] CPU: 0 PID: 1 Comm: systemd Not tainted 5.13.0-rc3-00375-g6799d4f2da49 #16 +[7.673309] Hardware name: Generic DT based system +[7.673642] PC is at nsfs_evict+0x24/0x30 +[7.674486] LR is at clear_inode+0x20/0x9c + +The same to tun SIOCGSKNS command. + +To fix this problem, we make get_net_ns() return -EINVAL when NET_NS is +disabled. Meanwhile move it to right place net/core/net_namespace.c. + +Signed-off-by: Changbin Du +Fixes: c62cce2caee5 ("net: add an ioctl to get a socket network namespace") +Cc: Cong Wang +Cc: Jakub Kicinski +Cc: David Laight +Cc: Christian Brauner +Suggested-by: Jakub Kicinski +Acked-by: Christian Brauner +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + include/linux/socket.h | 2 -- + include/net/net_namespace.h | 7 +++++++ + net/core/net_namespace.c | 12 ++++++++++++ + net/socket.c | 13 ------------- + 4 files changed, 19 insertions(+), 15 deletions(-) + +diff --git a/include/linux/socket.h b/include/linux/socket.h +index e9cb30d8cbfb..9aa530d497da 100644 +--- a/include/linux/socket.h ++++ b/include/linux/socket.h +@@ -437,6 +437,4 @@ extern int __sys_getpeername(int fd, struct sockaddr __user *usockaddr, + extern int __sys_socketpair(int family, int type, int protocol, + int __user *usockvec); + extern int __sys_shutdown(int fd, int how); +- +-extern struct ns_common *get_net_ns(struct ns_common *ns); + #endif /* _LINUX_SOCKET_H */ +diff --git a/include/net/net_namespace.h b/include/net/net_namespace.h +index 22bc07f4b043..eb0e7731f3b1 100644 +--- a/include/net/net_namespace.h ++++ b/include/net/net_namespace.h +@@ -203,6 +203,8 @@ struct net *copy_net_ns(unsigned long flags, struct user_namespace *user_ns, + void net_ns_get_ownership(const struct net *net, kuid_t *uid, kgid_t *gid); + + void net_ns_barrier(void); ++ ++struct ns_common *get_net_ns(struct ns_common *ns); + #else /* CONFIG_NET_NS */ + #include + #include +@@ -222,6 +224,11 @@ static inline void net_ns_get_ownership(const struct net *net, + } + + static inline void net_ns_barrier(void) {} ++ ++static inline struct ns_common *get_net_ns(struct ns_common *ns) ++{ ++ return ERR_PTR(-EINVAL); ++} + #endif /* CONFIG_NET_NS */ + + +diff --git a/net/core/net_namespace.c b/net/core/net_namespace.c +index dbc66b896287..5c9d95f30be6 100644 +--- a/net/core/net_namespace.c ++++ b/net/core/net_namespace.c +@@ -650,6 +650,18 @@ void __put_net(struct net *net) + } + EXPORT_SYMBOL_GPL(__put_net); + ++/** ++ * get_net_ns - increment the refcount of the network namespace ++ * @ns: common namespace (net) ++ * ++ * Returns the net's common namespace. ++ */ ++struct ns_common *get_net_ns(struct ns_common *ns) ++{ ++ return &get_net(container_of(ns, struct net, ns))->ns; ++} ++EXPORT_SYMBOL_GPL(get_net_ns); ++ + struct net *get_net_ns_by_fd(int fd) + { + struct file *file; +diff --git a/net/socket.c b/net/socket.c +index 6e6cccc2104f..002d5952ae5d 100644 +--- a/net/socket.c ++++ b/net/socket.c +@@ -1080,19 +1080,6 @@ static long sock_do_ioctl(struct net *net, struct socket *sock, + * what to do with it - that's up to the protocol still. + */ + +-/** +- * get_net_ns - increment the refcount of the network namespace +- * @ns: common namespace (net) +- * +- * Returns the net's common namespace. +- */ +- +-struct ns_common *get_net_ns(struct ns_common *ns) +-{ +- return &get_net(container_of(ns, struct net, ns))->ns; +-} +-EXPORT_SYMBOL_GPL(get_net_ns); +- + static long sock_ioctl(struct file *file, unsigned cmd, unsigned long arg) + { + struct socket *sock; +-- +2.30.2 + diff --git a/queue-5.10/net-mlx5-consider-roce-cap-before-init-rdma-resource.patch b/queue-5.10/net-mlx5-consider-roce-cap-before-init-rdma-resource.patch new file mode 100644 index 00000000000..eb87dc2b2f9 --- /dev/null +++ b/queue-5.10/net-mlx5-consider-roce-cap-before-init-rdma-resource.patch @@ -0,0 +1,37 @@ +From 01f7a55e2ded0188bbb94020d917de70ac1219f5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 6 Jun 2021 11:20:46 +0300 +Subject: net/mlx5: Consider RoCE cap before init RDMA resources + +From: Maor Gottlieb + +[ Upstream commit c189716b2a7c1d2d8658e269735273caa1c38b54 ] + +Check if RoCE is supported by the device before enable it in +the vport context and create all the RDMA steering objects. + +Fixes: 80f09dfc237f ("net/mlx5: Eswitch, enable RoCE loopback traffic") +Signed-off-by: Maor Gottlieb +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/rdma.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/rdma.c b/drivers/net/ethernet/mellanox/mlx5/core/rdma.c +index 8e0dddc6383f..2389239acadc 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/rdma.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/rdma.c +@@ -156,6 +156,9 @@ void mlx5_rdma_enable_roce(struct mlx5_core_dev *dev) + { + int err; + ++ if (!MLX5_CAP_GEN(dev, roce)) ++ return; ++ + err = mlx5_nic_vport_enable_roce(dev); + if (err) { + mlx5_core_err(dev, "Failed to enable RoCE: %d\n", err); +-- +2.30.2 + diff --git a/queue-5.10/net-mlx5-dr-allow-sw-steering-for-sw_owner_v2-device.patch b/queue-5.10/net-mlx5-dr-allow-sw-steering-for-sw_owner_v2-device.patch new file mode 100644 index 00000000000..38d9c971732 --- /dev/null +++ b/queue-5.10/net-mlx5-dr-allow-sw-steering-for-sw_owner_v2-device.patch @@ -0,0 +1,163 @@ +From 17a81bc35fe56fa807e8dabc9c378dad162cdbdb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 25 Jan 2021 02:26:45 +0200 +Subject: net/mlx5: DR, Allow SW steering for sw_owner_v2 devices + +From: Yevgeny Kliteynik + +[ Upstream commit 64f45c0fc4c71f577506c5a7a7956ae3bc3388ea ] + +Allow sw_owner_v2 based on sw_format_version. + +Signed-off-by: Alex Vesker +Signed-off-by: Yevgeny Kliteynik +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + .../mellanox/mlx5/core/steering/dr_cmd.c | 17 +++++++++++------ + .../mellanox/mlx5/core/steering/dr_domain.c | 17 +++++++++-------- + .../mellanox/mlx5/core/steering/dr_types.h | 6 +++++- + .../mellanox/mlx5/core/steering/mlx5dr.h | 5 ++++- + 4 files changed, 29 insertions(+), 16 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_cmd.c b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_cmd.c +index 51bbd88ff021..fd56cae0d54f 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_cmd.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_cmd.c +@@ -78,9 +78,9 @@ int mlx5dr_cmd_query_esw_caps(struct mlx5_core_dev *mdev, + caps->uplink_icm_address_tx = + MLX5_CAP64_ESW_FLOWTABLE(mdev, + sw_steering_uplink_icm_address_tx); +- caps->sw_owner = +- MLX5_CAP_ESW_FLOWTABLE_FDB(mdev, +- sw_owner); ++ caps->sw_owner_v2 = MLX5_CAP_ESW_FLOWTABLE_FDB(mdev, sw_owner_v2); ++ if (!caps->sw_owner_v2) ++ caps->sw_owner = MLX5_CAP_ESW_FLOWTABLE_FDB(mdev, sw_owner); + + return 0; + } +@@ -113,10 +113,15 @@ int mlx5dr_cmd_query_device(struct mlx5_core_dev *mdev, + caps->nic_tx_allow_address = + MLX5_CAP64_FLOWTABLE(mdev, sw_steering_nic_tx_action_allow_icm_address); + +- caps->rx_sw_owner = MLX5_CAP_FLOWTABLE_NIC_RX(mdev, sw_owner); +- caps->max_ft_level = MLX5_CAP_FLOWTABLE_NIC_RX(mdev, max_ft_level); ++ caps->rx_sw_owner_v2 = MLX5_CAP_FLOWTABLE_NIC_RX(mdev, sw_owner_v2); ++ caps->tx_sw_owner_v2 = MLX5_CAP_FLOWTABLE_NIC_TX(mdev, sw_owner_v2); ++ ++ if (!caps->rx_sw_owner_v2) ++ caps->rx_sw_owner = MLX5_CAP_FLOWTABLE_NIC_RX(mdev, sw_owner); ++ if (!caps->tx_sw_owner_v2) ++ caps->tx_sw_owner = MLX5_CAP_FLOWTABLE_NIC_TX(mdev, sw_owner); + +- caps->tx_sw_owner = MLX5_CAP_FLOWTABLE_NIC_TX(mdev, sw_owner); ++ caps->max_ft_level = MLX5_CAP_FLOWTABLE_NIC_RX(mdev, max_ft_level); + + caps->log_icm_size = MLX5_CAP_DEV_MEM(mdev, log_steering_sw_icm_size); + caps->hdr_modify_icm_addr = +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_domain.c b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_domain.c +index aa2c2d6c44e6..00d861361428 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_domain.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_domain.c +@@ -4,6 +4,11 @@ + #include + #include "dr_types.h" + ++#define DR_DOMAIN_SW_STEERING_SUPPORTED(dmn, dmn_type) \ ++ ((dmn)->info.caps.dmn_type##_sw_owner || \ ++ ((dmn)->info.caps.dmn_type##_sw_owner_v2 && \ ++ (dmn)->info.caps.sw_format_ver <= MLX5_STEERING_FORMAT_CONNECTX_6DX)) ++ + static int dr_domain_init_cache(struct mlx5dr_domain *dmn) + { + /* Per vport cached FW FT for checksum recalculation, this +@@ -181,6 +186,7 @@ static int dr_domain_query_fdb_caps(struct mlx5_core_dev *mdev, + return ret; + + dmn->info.caps.fdb_sw_owner = dmn->info.caps.esw_caps.sw_owner; ++ dmn->info.caps.fdb_sw_owner_v2 = dmn->info.caps.esw_caps.sw_owner_v2; + dmn->info.caps.esw_rx_drop_address = dmn->info.caps.esw_caps.drop_icm_address_rx; + dmn->info.caps.esw_tx_drop_address = dmn->info.caps.esw_caps.drop_icm_address_tx; + +@@ -223,18 +229,13 @@ static int dr_domain_caps_init(struct mlx5_core_dev *mdev, + if (ret) + return ret; + +- if (dmn->info.caps.sw_format_ver != MLX5_STEERING_FORMAT_CONNECTX_5) { +- mlx5dr_err(dmn, "SW steering is not supported on this device\n"); +- return -EOPNOTSUPP; +- } +- + ret = dr_domain_query_fdb_caps(mdev, dmn); + if (ret) + return ret; + + switch (dmn->type) { + case MLX5DR_DOMAIN_TYPE_NIC_RX: +- if (!dmn->info.caps.rx_sw_owner) ++ if (!DR_DOMAIN_SW_STEERING_SUPPORTED(dmn, rx)) + return -ENOTSUPP; + + dmn->info.supp_sw_steering = true; +@@ -243,7 +244,7 @@ static int dr_domain_caps_init(struct mlx5_core_dev *mdev, + dmn->info.rx.drop_icm_addr = dmn->info.caps.nic_rx_drop_address; + break; + case MLX5DR_DOMAIN_TYPE_NIC_TX: +- if (!dmn->info.caps.tx_sw_owner) ++ if (!DR_DOMAIN_SW_STEERING_SUPPORTED(dmn, tx)) + return -ENOTSUPP; + + dmn->info.supp_sw_steering = true; +@@ -255,7 +256,7 @@ static int dr_domain_caps_init(struct mlx5_core_dev *mdev, + if (!dmn->info.caps.eswitch_manager) + return -ENOTSUPP; + +- if (!dmn->info.caps.fdb_sw_owner) ++ if (!DR_DOMAIN_SW_STEERING_SUPPORTED(dmn, fdb)) + return -ENOTSUPP; + + dmn->info.rx.ste_type = MLX5DR_STE_TYPE_RX; +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_types.h b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_types.h +index cf62ea4f882e..42c49f09e9d3 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_types.h ++++ b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_types.h +@@ -597,7 +597,8 @@ struct mlx5dr_esw_caps { + u64 drop_icm_address_tx; + u64 uplink_icm_address_rx; + u64 uplink_icm_address_tx; +- bool sw_owner; ++ u8 sw_owner:1; ++ u8 sw_owner_v2:1; + }; + + struct mlx5dr_cmd_vport_cap { +@@ -630,6 +631,9 @@ struct mlx5dr_cmd_caps { + bool rx_sw_owner; + bool tx_sw_owner; + bool fdb_sw_owner; ++ u8 rx_sw_owner_v2:1; ++ u8 tx_sw_owner_v2:1; ++ u8 fdb_sw_owner_v2:1; + u32 num_vports; + struct mlx5dr_esw_caps esw_caps; + struct mlx5dr_cmd_vport_cap *vports_caps; +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/steering/mlx5dr.h b/drivers/net/ethernet/mellanox/mlx5/core/steering/mlx5dr.h +index 7914fe3fc68d..6f3db8dc896c 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/steering/mlx5dr.h ++++ b/drivers/net/ethernet/mellanox/mlx5/core/steering/mlx5dr.h +@@ -124,7 +124,10 @@ int mlx5dr_action_destroy(struct mlx5dr_action *action); + static inline bool + mlx5dr_is_supported(struct mlx5_core_dev *dev) + { +- return MLX5_CAP_ESW_FLOWTABLE_FDB(dev, sw_owner); ++ return MLX5_CAP_ESW_FLOWTABLE_FDB(dev, sw_owner) || ++ (MLX5_CAP_ESW_FLOWTABLE_FDB(dev, sw_owner_v2) && ++ (MLX5_CAP_GEN(dev, steering_format_version) <= ++ MLX5_STEERING_FORMAT_CONNECTX_6DX)); + } + + #endif /* _MLX5DR_H_ */ +-- +2.30.2 + diff --git a/queue-5.10/net-mlx5-dr-don-t-use-sw-steering-when-roce-is-not-s.patch b/queue-5.10/net-mlx5-dr-don-t-use-sw-steering-when-roce-is-not-s.patch new file mode 100644 index 00000000000..21fd681c4f5 --- /dev/null +++ b/queue-5.10/net-mlx5-dr-don-t-use-sw-steering-when-roce-is-not-s.patch @@ -0,0 +1,45 @@ +From c3c9bf7954253429e702082eea39f334da46c3e5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 6 Jun 2021 11:23:41 +0300 +Subject: net/mlx5: DR, Don't use SW steering when RoCE is not supported + +From: Maor Gottlieb + +[ Upstream commit 4aaf96ac8b45d8e2e019b6b53cce65a73c4ace2c ] + +SW steering uses RC QP to write/read to/from ICM, hence it's not +supported when RoCE is not supported as well. + +Fixes: 70605ea545e8 ("net/mlx5: DR, Expose APIs for direct rule managing") +Signed-off-by: Maor Gottlieb +Reviewed-by: Alex Vesker +Reviewed-by: Yevgeny Kliteynik +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + .../net/ethernet/mellanox/mlx5/core/steering/mlx5dr.h | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/steering/mlx5dr.h b/drivers/net/ethernet/mellanox/mlx5/core/steering/mlx5dr.h +index 6f3db8dc896c..454968ba6831 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/steering/mlx5dr.h ++++ b/drivers/net/ethernet/mellanox/mlx5/core/steering/mlx5dr.h +@@ -124,10 +124,11 @@ int mlx5dr_action_destroy(struct mlx5dr_action *action); + static inline bool + mlx5dr_is_supported(struct mlx5_core_dev *dev) + { +- return MLX5_CAP_ESW_FLOWTABLE_FDB(dev, sw_owner) || +- (MLX5_CAP_ESW_FLOWTABLE_FDB(dev, sw_owner_v2) && +- (MLX5_CAP_GEN(dev, steering_format_version) <= +- MLX5_STEERING_FORMAT_CONNECTX_6DX)); ++ return MLX5_CAP_GEN(dev, roce) && ++ (MLX5_CAP_ESW_FLOWTABLE_FDB(dev, sw_owner) || ++ (MLX5_CAP_ESW_FLOWTABLE_FDB(dev, sw_owner_v2) && ++ (MLX5_CAP_GEN(dev, steering_format_version) <= ++ MLX5_STEERING_FORMAT_CONNECTX_6DX))); + } + + #endif /* _MLX5DR_H_ */ +-- +2.30.2 + diff --git a/queue-5.10/net-mlx5-e-switch-allow-setting-guid-for-host-pf-vpo.patch b/queue-5.10/net-mlx5-e-switch-allow-setting-guid-for-host-pf-vpo.patch new file mode 100644 index 00000000000..e513f96522c --- /dev/null +++ b/queue-5.10/net-mlx5-e-switch-allow-setting-guid-for-host-pf-vpo.patch @@ -0,0 +1,50 @@ +From 284f26a5caed85284ddae7bd777923164f7fec35 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Jun 2021 19:03:24 +0300 +Subject: net/mlx5: E-Switch, Allow setting GUID for host PF vport + +From: Parav Pandit + +[ Upstream commit ca36fc4d77b35b8d142cf1ed0eae5ec2e071dc3c ] + +E-switch should be able to set the GUID of host PF vport. +Currently it returns an error. This results in below error +when user attempts to configure MAC address of the PF of an +external controller. + +$ devlink port function set pci/0000:03:00.0/196608 \ + hw_addr 00:00:00:11:22:33 + +mlx5_core 0000:03:00.0: mlx5_esw_set_vport_mac_locked:1876:(pid 6715):\ +"Failed to set vport 0 node guid, err = -22. +RDMA_CM will not function properly for this VF." + +Check for zero vport is no longer needed. + +Fixes: 330077d14de1 ("net/mlx5: E-switch, Supporting setting devlink port function mac address") +Signed-off-by: Yuval Avnery +Signed-off-by: Parav Pandit +Reviewed-by: Bodong Wang +Reviewed-by: Alaa Hleihel +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/vport.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/vport.c b/drivers/net/ethernet/mellanox/mlx5/core/vport.c +index bdafc85fd874..fc91bbf7d0c3 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/vport.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/vport.c +@@ -464,8 +464,6 @@ int mlx5_modify_nic_vport_node_guid(struct mlx5_core_dev *mdev, + void *in; + int err; + +- if (!vport) +- return -EINVAL; + if (!MLX5_CAP_GEN(mdev, vport_group_manager)) + return -EACCES; + +-- +2.30.2 + diff --git a/queue-5.10/net-mlx5-e-switch-read-pf-mac-address.patch b/queue-5.10/net-mlx5-e-switch-read-pf-mac-address.patch new file mode 100644 index 00000000000..50208ab29c6 --- /dev/null +++ b/queue-5.10/net-mlx5-e-switch-read-pf-mac-address.patch @@ -0,0 +1,81 @@ +From 10c101669843c0cc7c82a6bb4562d7c8f0d410fd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Jun 2021 19:14:08 +0300 +Subject: net/mlx5: E-Switch, Read PF mac address + +From: Parav Pandit + +[ Upstream commit bbc8222dc49db8d49add0f27bcac33f4b92193dc ] + +External controller PF's MAC address is not read from the device during +vport setup. Fail to read this results in showing all zeros to user +while the factory programmed MAC is a valid value. + +$ devlink port show eth1 -jp +{ + "port": { + "pci/0000:03:00.0/196608": { + "type": "eth", + "netdev": "eth1", + "flavour": "pcipf", + "controller": 1, + "pfnum": 0, + "splittable": false, + "function": { + "hw_addr": "00:00:00:00:00:00" + } + } + } +} + +Hence, read it when enabling a vport. + +After the fix, + +$ devlink port show eth1 -jp +{ + "port": { + "pci/0000:03:00.0/196608": { + "type": "eth", + "netdev": "eth1", + "flavour": "pcipf", + "controller": 1, + "pfnum": 0, + "splittable": false, + "function": { + "hw_addr": "98:03:9b:a0:60:11" + } + } + } +} + +Fixes: f099fde16db3 ("net/mlx5: E-switch, Support querying port function mac address") +Signed-off-by: Bodong Wang +Signed-off-by: Parav Pandit +Reviewed-by: Alaa Hleihel +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/eswitch.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c +index d61539b5567c..401b2f5128dd 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c +@@ -1302,6 +1302,12 @@ static int esw_enable_vport(struct mlx5_eswitch *esw, u16 vport_num, + (!vport_num && mlx5_core_is_ecpf(esw->dev))) + vport->info.trusted = true; + ++ /* External controller host PF has factory programmed MAC. ++ * Read it from the device. ++ */ ++ if (mlx5_core_is_ecpf(esw->dev) && vport_num == MLX5_VPORT_PF) ++ mlx5_query_nic_vport_mac_address(esw->dev, vport_num, true, vport->info.mac); ++ + esw_vport_change_handle_locked(vport); + + esw->enabled_vports++; +-- +2.30.2 + diff --git a/queue-5.10/net-mlx5-reset-mkey-index-on-creation.patch b/queue-5.10/net-mlx5-reset-mkey-index-on-creation.patch new file mode 100644 index 00000000000..a0ce6af899f --- /dev/null +++ b/queue-5.10/net-mlx5-reset-mkey-index-on-creation.patch @@ -0,0 +1,41 @@ +From cc62b4ea76ebdec07eb924b6c30fba8cec58b81d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Jun 2021 14:20:28 +0300 +Subject: net/mlx5: Reset mkey index on creation + +From: Aya Levin + +[ Upstream commit 0232fc2ddcf4ffe01069fd1aa07922652120f44a ] + +Reset only the index part of the mkey and keep the variant part. On +devlink reload, driver recreates mkeys, so the mkey index may change. +Trying to preserve the variant part of the mkey, driver mistakenly +merged the mkey index with current value. In case of a devlink reload, +current value of index part is dirty, so the index may be corrupted. + +Fixes: 54c62e13ad76 ("{IB,net}/mlx5: Setup mkey variant before mr create command invocation") +Signed-off-by: Aya Levin +Signed-off-by: Amir Tzin +Reviewed-by: Tariq Toukan +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/mr.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/mr.c b/drivers/net/ethernet/mellanox/mlx5/core/mr.c +index 9eb51f06d3ae..d1972508338c 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/mr.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/mr.c +@@ -54,7 +54,7 @@ int mlx5_core_create_mkey(struct mlx5_core_dev *dev, + mkey_index = MLX5_GET(create_mkey_out, lout, mkey_index); + mkey->iova = MLX5_GET64(mkc, mkc, start_addr); + mkey->size = MLX5_GET64(mkc, mkc, len); +- mkey->key |= mlx5_idx_to_mkey(mkey_index); ++ mkey->key = (u32)mlx5_mkey_variant(mkey->key) | mlx5_idx_to_mkey(mkey_index); + mkey->pd = MLX5_GET(mkc, mkc, pd); + + mlx5_core_dbg(dev, "out 0x%x, mkey 0x%x\n", mkey_index, mkey->key); +-- +2.30.2 + diff --git a/queue-5.10/net-mlx5e-block-offload-of-outer-header-csum-for-udp.patch b/queue-5.10/net-mlx5e-block-offload-of-outer-header-csum-for-udp.patch new file mode 100644 index 00000000000..e55642c6c4f --- /dev/null +++ b/queue-5.10/net-mlx5e-block-offload-of-outer-header-csum-for-udp.patch @@ -0,0 +1,46 @@ +From 9e71b660f238177597d8d894e9f8b99041cefdca Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 May 2021 14:34:58 +0300 +Subject: net/mlx5e: Block offload of outer header csum for UDP tunnels + +From: Aya Levin + +[ Upstream commit 6d6727dddc7f93fcc155cb8d0c49c29ae0e71122 ] + +The device is able to offload either the outer header csum or inner +header csum. The driver utilizes the inner csum offload. Hence, block +setting of tx-udp_tnl-csum-segmentation and set it to off[fixed]. + +Fixes: b49663c8fb49 ("net/mlx5e: Add support for UDP tunnel segmentation with outer checksum offload") +Signed-off-by: Aya Levin +Reviewed-by: Tariq Toukan +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 10 +++------- + 1 file changed, 3 insertions(+), 7 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +index f18b52be32e9..d81fa8e56199 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +@@ -4958,13 +4958,9 @@ static void mlx5e_build_nic_netdev(struct net_device *netdev) + } + + if (mlx5_vxlan_allowed(mdev->vxlan) || mlx5_geneve_tx_allowed(mdev)) { +- netdev->hw_features |= NETIF_F_GSO_UDP_TUNNEL | +- NETIF_F_GSO_UDP_TUNNEL_CSUM; +- netdev->hw_enc_features |= NETIF_F_GSO_UDP_TUNNEL | +- NETIF_F_GSO_UDP_TUNNEL_CSUM; +- netdev->gso_partial_features = NETIF_F_GSO_UDP_TUNNEL_CSUM; +- netdev->vlan_features |= NETIF_F_GSO_UDP_TUNNEL | +- NETIF_F_GSO_UDP_TUNNEL_CSUM; ++ netdev->hw_features |= NETIF_F_GSO_UDP_TUNNEL; ++ netdev->hw_enc_features |= NETIF_F_GSO_UDP_TUNNEL; ++ netdev->vlan_features |= NETIF_F_GSO_UDP_TUNNEL; + } + + if (mlx5e_tunnel_proto_supported(mdev, IPPROTO_GRE)) { +-- +2.30.2 + diff --git a/queue-5.10/net-mlx5e-fix-page-reclaim-for-dead-peer-hairpin.patch b/queue-5.10/net-mlx5e-fix-page-reclaim-for-dead-peer-hairpin.patch new file mode 100644 index 00000000000..57a7e55e2bc --- /dev/null +++ b/queue-5.10/net-mlx5e-fix-page-reclaim-for-dead-peer-hairpin.patch @@ -0,0 +1,169 @@ +From 71c9c5f1cccfe16eea20b6acfae502e5223072e9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 26 May 2021 13:45:10 +0300 +Subject: net/mlx5e: Fix page reclaim for dead peer hairpin + +From: Dima Chumak + +[ Upstream commit a3e5fd9314dfc4314a9567cde96e1aef83a7458a ] + +When adding a hairpin flow, a firmware-side send queue is created for +the peer net device, which claims some host memory pages for its +internal ring buffer. If the peer net device is removed/unbound before +the hairpin flow is deleted, then the send queue is not destroyed which +leads to a stack trace on pci device remove: + +[ 748.005230] mlx5_core 0000:08:00.2: wait_func:1094:(pid 12985): MANAGE_PAGES(0x108) timeout. Will cause a leak of a command resource +[ 748.005231] mlx5_core 0000:08:00.2: reclaim_pages:514:(pid 12985): failed reclaiming pages: err -110 +[ 748.001835] mlx5_core 0000:08:00.2: mlx5_reclaim_root_pages:653:(pid 12985): failed reclaiming pages (-110) for func id 0x0 +[ 748.002171] ------------[ cut here ]------------ +[ 748.001177] FW pages counter is 4 after reclaiming all pages +[ 748.001186] WARNING: CPU: 1 PID: 12985 at drivers/net/ethernet/mellanox/mlx5/core/pagealloc.c:685 mlx5_reclaim_startup_pages+0x34b/0x460 [mlx5_core] [ +0.002771] Modules linked in: cls_flower mlx5_ib mlx5_core ptp pps_core act_mirred sch_ingress openvswitch nsh xt_conntrack xt_MASQUERADE nf_conntrack_netlink nfnetlink xt_addrtype iptable_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 br_netfilter rpcrdma rdma_ucm ib_iser libiscsi scsi_transport_iscsi rdma_cm ib_umad ib_ipoib iw_cm ib_cm ib_uverbs ib_core overlay fuse [last unloaded: pps_core] +[ 748.007225] CPU: 1 PID: 12985 Comm: tee Not tainted 5.12.0+ #1 +[ 748.001376] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 +[ 748.002315] RIP: 0010:mlx5_reclaim_startup_pages+0x34b/0x460 [mlx5_core] +[ 748.001679] Code: 28 00 00 00 0f 85 22 01 00 00 48 81 c4 b0 00 00 00 31 c0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 48 c7 c7 40 cc 19 a1 e8 9f 71 0e e2 <0f> 0b e9 30 ff ff ff 48 c7 c7 a0 cc 19 a1 e8 8c 71 0e e2 0f 0b e9 +[ 748.003781] RSP: 0018:ffff88815220faf8 EFLAGS: 00010286 +[ 748.001149] RAX: 0000000000000000 RBX: ffff8881b4900280 RCX: 0000000000000000 +[ 748.001445] RDX: 0000000000000027 RSI: 0000000000000004 RDI: ffffed102a441f51 +[ 748.001614] RBP: 00000000000032b9 R08: 0000000000000001 R09: ffffed1054a15ee8 +[ 748.001446] R10: ffff8882a50af73b R11: ffffed1054a15ee7 R12: fffffbfff07c1e30 +[ 748.001447] R13: dffffc0000000000 R14: ffff8881b492cba8 R15: 0000000000000000 +[ 748.001429] FS: 00007f58bd08b580(0000) GS:ffff8882a5080000(0000) knlGS:0000000000000000 +[ 748.001695] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 748.001309] CR2: 000055a026351740 CR3: 00000001d3b48006 CR4: 0000000000370ea0 +[ 748.001506] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[ 748.001483] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +[ 748.001654] Call Trace: +[ 748.000576] ? mlx5_satisfy_startup_pages+0x290/0x290 [mlx5_core] +[ 748.001416] ? mlx5_cmd_teardown_hca+0xa2/0xd0 [mlx5_core] +[ 748.001354] ? mlx5_cmd_init_hca+0x280/0x280 [mlx5_core] +[ 748.001203] mlx5_function_teardown+0x30/0x60 [mlx5_core] +[ 748.001275] mlx5_uninit_one+0xa7/0xc0 [mlx5_core] +[ 748.001200] remove_one+0x5f/0xc0 [mlx5_core] +[ 748.001075] pci_device_remove+0x9f/0x1d0 +[ 748.000833] device_release_driver_internal+0x1e0/0x490 +[ 748.001207] unbind_store+0x19f/0x200 +[ 748.000942] ? sysfs_file_ops+0x170/0x170 +[ 748.001000] kernfs_fop_write_iter+0x2bc/0x450 +[ 748.000970] new_sync_write+0x373/0x610 +[ 748.001124] ? new_sync_read+0x600/0x600 +[ 748.001057] ? lock_acquire+0x4d6/0x700 +[ 748.000908] ? lockdep_hardirqs_on_prepare+0x400/0x400 +[ 748.001126] ? fd_install+0x1c9/0x4d0 +[ 748.000951] vfs_write+0x4d0/0x800 +[ 748.000804] ksys_write+0xf9/0x1d0 +[ 748.000868] ? __x64_sys_read+0xb0/0xb0 +[ 748.000811] ? filp_open+0x50/0x50 +[ 748.000919] ? syscall_enter_from_user_mode+0x1d/0x50 +[ 748.001223] do_syscall_64+0x3f/0x80 +[ 748.000892] entry_SYSCALL_64_after_hwframe+0x44/0xae +[ 748.001026] RIP: 0033:0x7f58bcfb22f7 +[ 748.000944] Code: 0d 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 48 89 54 24 18 48 89 74 24 +[ 748.003925] RSP: 002b:00007fffd7f2aaa8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 +[ 748.001732] RAX: ffffffffffffffda RBX: 000000000000000d RCX: 00007f58bcfb22f7 +[ 748.001426] RDX: 000000000000000d RSI: 00007fffd7f2abc0 RDI: 0000000000000003 +[ 748.001746] RBP: 00007fffd7f2abc0 R08: 0000000000000000 R09: 0000000000000001 +[ 748.001631] R10: 00000000000001b6 R11: 0000000000000246 R12: 000000000000000d +[ 748.001537] R13: 00005597ac2c24a0 R14: 000000000000000d R15: 00007f58bd084700 +[ 748.001564] irq event stamp: 0 +[ 748.000787] hardirqs last enabled at (0): [<0000000000000000>] 0x0 +[ 748.001399] hardirqs last disabled at (0): [] copy_process+0x146f/0x5eb0 +[ 748.001854] softirqs last enabled at (0): [] copy_process+0x14ae/0x5eb0 +[ 748.013431] softirqs last disabled at (0): [<0000000000000000>] 0x0 +[ 748.001492] ---[ end trace a6fabd773d1c51ae ]--- + +Fix by destroying the send queue of a hairpin peer net device that is +being removed/unbound, which returns the allocated ring buffer pages to +the host. + +Fixes: 4d8fcf216c90 ("net/mlx5e: Avoid unbounded peer devices when unpairing TC hairpin rules") +Signed-off-by: Dima Chumak +Reviewed-by: Roi Dayan +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + .../net/ethernet/mellanox/mlx5/core/en_tc.c | 2 +- + .../ethernet/mellanox/mlx5/core/transobj.c | 30 +++++++++++++++---- + include/linux/mlx5/transobj.h | 1 + + 3 files changed, 26 insertions(+), 7 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c b/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c +index 80abdb0b47d7..59837af959d0 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c +@@ -5206,7 +5206,7 @@ static void mlx5e_tc_hairpin_update_dead_peer(struct mlx5e_priv *priv, + list_for_each_entry_safe(hpe, tmp, &init_wait_list, dead_peer_wait_list) { + wait_for_completion(&hpe->res_ready); + if (!IS_ERR_OR_NULL(hpe->hp) && hpe->peer_vhca_id == peer_vhca_id) +- hpe->hp->pair->peer_gone = true; ++ mlx5_core_hairpin_clear_dead_peer(hpe->hp->pair); + + mlx5e_hairpin_put(priv, hpe); + } +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/transobj.c b/drivers/net/ethernet/mellanox/mlx5/core/transobj.c +index 01cc00ad8acf..b6931bbe52d2 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/transobj.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/transobj.c +@@ -424,6 +424,15 @@ err_modify_sq: + return err; + } + ++static void mlx5_hairpin_unpair_peer_sq(struct mlx5_hairpin *hp) ++{ ++ int i; ++ ++ for (i = 0; i < hp->num_channels; i++) ++ mlx5_hairpin_modify_sq(hp->peer_mdev, hp->sqn[i], MLX5_SQC_STATE_RDY, ++ MLX5_SQC_STATE_RST, 0, 0); ++} ++ + static void mlx5_hairpin_unpair_queues(struct mlx5_hairpin *hp) + { + int i; +@@ -432,13 +441,9 @@ static void mlx5_hairpin_unpair_queues(struct mlx5_hairpin *hp) + for (i = 0; i < hp->num_channels; i++) + mlx5_hairpin_modify_rq(hp->func_mdev, hp->rqn[i], MLX5_RQC_STATE_RDY, + MLX5_RQC_STATE_RST, 0, 0); +- + /* unset peer SQs */ +- if (hp->peer_gone) +- return; +- for (i = 0; i < hp->num_channels; i++) +- mlx5_hairpin_modify_sq(hp->peer_mdev, hp->sqn[i], MLX5_SQC_STATE_RDY, +- MLX5_SQC_STATE_RST, 0, 0); ++ if (!hp->peer_gone) ++ mlx5_hairpin_unpair_peer_sq(hp); + } + + struct mlx5_hairpin * +@@ -485,3 +490,16 @@ void mlx5_core_hairpin_destroy(struct mlx5_hairpin *hp) + mlx5_hairpin_destroy_queues(hp); + kfree(hp); + } ++ ++void mlx5_core_hairpin_clear_dead_peer(struct mlx5_hairpin *hp) ++{ ++ int i; ++ ++ mlx5_hairpin_unpair_peer_sq(hp); ++ ++ /* destroy peer SQ */ ++ for (i = 0; i < hp->num_channels; i++) ++ mlx5_core_destroy_sq(hp->peer_mdev, hp->sqn[i]); ++ ++ hp->peer_gone = true; ++} +diff --git a/include/linux/mlx5/transobj.h b/include/linux/mlx5/transobj.h +index 028f442530cf..60ffeb6b67ae 100644 +--- a/include/linux/mlx5/transobj.h ++++ b/include/linux/mlx5/transobj.h +@@ -85,4 +85,5 @@ mlx5_core_hairpin_create(struct mlx5_core_dev *func_mdev, + struct mlx5_hairpin_params *params); + + void mlx5_core_hairpin_destroy(struct mlx5_hairpin *pair); ++void mlx5_core_hairpin_clear_dead_peer(struct mlx5_hairpin *hp); + #endif /* __TRANSOBJ_H__ */ +-- +2.30.2 + diff --git a/queue-5.10/net-mlx5e-remove-dependency-in-ipsec-initialization-.patch b/queue-5.10/net-mlx5e-remove-dependency-in-ipsec-initialization-.patch new file mode 100644 index 00000000000..69d29061049 --- /dev/null +++ b/queue-5.10/net-mlx5e-remove-dependency-in-ipsec-initialization-.patch @@ -0,0 +1,43 @@ +From deb0a9956c640d5c7e25e78ec9a6148635858367 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 May 2021 13:20:32 -0500 +Subject: net/mlx5e: Remove dependency in IPsec initialization flows + +From: Huy Nguyen + +[ Upstream commit 8ad893e516a77209a1818a2072d2027d87db809f ] + +Currently, IPsec feature is disabled because mlx5e_build_nic_netdev +is required to be called after mlx5e_ipsec_init. This requirement is +invalid as mlx5e_build_nic_netdev and mlx5e_ipsec_init initialize +independent resources. + +Remove ipsec pointer check in mlx5e_build_nic_netdev so that the +two functions can be called at any order. + +Fixes: 547eede070eb ("net/mlx5e: IPSec, Innova IPSec offload infrastructure") +Signed-off-by: Huy Nguyen +Reviewed-by: Raed Salem +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c +index 3d45341e2216..26f7fab109d9 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c +@@ -532,9 +532,6 @@ void mlx5e_ipsec_build_netdev(struct mlx5e_priv *priv) + struct mlx5_core_dev *mdev = priv->mdev; + struct net_device *netdev = priv->netdev; + +- if (!priv->ipsec) +- return; +- + if (!(mlx5_accel_ipsec_device_caps(mdev) & MLX5_ACCEL_IPSEC_CAP_ESP) || + !MLX5_CAP_ETH(mdev, swp)) { + mlx5_core_dbg(mdev, "mlx5e: ESP and SWP offload not supported\n"); +-- +2.30.2 + diff --git a/queue-5.10/net-qrtr-fix-oob-read-in-qrtr_endpoint_post.patch b/queue-5.10/net-qrtr-fix-oob-read-in-qrtr_endpoint_post.patch new file mode 100644 index 00000000000..8e86695c1a7 --- /dev/null +++ b/queue-5.10/net-qrtr-fix-oob-read-in-qrtr_endpoint_post.patch @@ -0,0 +1,50 @@ +From e2a9291b7ce1432184daaee6305634cffb6cfeb3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Jun 2021 15:06:50 +0300 +Subject: net: qrtr: fix OOB Read in qrtr_endpoint_post + +From: Pavel Skripkin + +[ Upstream commit ad9d24c9429e2159d1e279dc3a83191ccb4daf1d ] + +Syzbot reported slab-out-of-bounds Read in +qrtr_endpoint_post. The problem was in wrong +_size_ type: + + if (len != ALIGN(size, 4) + hdrlen) + goto err; + +If size from qrtr_hdr is 4294967293 (0xfffffffd), the result of +ALIGN(size, 4) will be 0. In case of len == hdrlen and size == 4294967293 +in header this check won't fail and + + skb_put_data(skb, data + hdrlen, size); + +will read out of bound from data, which is hdrlen allocated block. + +Fixes: 194ccc88297a ("net: qrtr: Support decoding incoming v2 packets") +Reported-and-tested-by: syzbot+1917d778024161609247@syzkaller.appspotmail.com +Signed-off-by: Pavel Skripkin +Reviewed-by: Bjorn Andersson +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/qrtr/qrtr.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/qrtr/qrtr.c b/net/qrtr/qrtr.c +index 93a7edcff11e..0d9baddb9cd4 100644 +--- a/net/qrtr/qrtr.c ++++ b/net/qrtr/qrtr.c +@@ -429,7 +429,7 @@ int qrtr_endpoint_post(struct qrtr_endpoint *ep, const void *data, size_t len) + struct qrtr_sock *ipc; + struct sk_buff *skb; + struct qrtr_cb *cb; +- unsigned int size; ++ size_t size; + unsigned int ver; + size_t hdrlen; + +-- +2.30.2 + diff --git a/queue-5.10/net-qualcomm-rmnet-don-t-over-count-statistics.patch b/queue-5.10/net-qualcomm-rmnet-don-t-over-count-statistics.patch new file mode 100644 index 00000000000..41d3e143df9 --- /dev/null +++ b/queue-5.10/net-qualcomm-rmnet-don-t-over-count-statistics.patch @@ -0,0 +1,79 @@ +From a5c48095dd693278f4d86a468442dd9c17f93eb6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Jun 2021 13:26:00 -0500 +Subject: net: qualcomm: rmnet: don't over-count statistics + +From: Alex Elder + +[ Upstream commit 994c393bb6886d6d94d628475b274a8cb3fc67a4 ] + +The purpose of the loop using u64_stats_fetch_*_irq() is to ensure +statistics on a given CPU are collected atomically. If one of the +statistics values gets updated within the begin/retry window, the +loop will run again. + +Currently the statistics totals are updated inside that window. +This means that if the loop ever retries, the statistics for the +CPU will be counted more than once. + +Fix this by taking a snapshot of a CPU's statistics inside the +protected window, and then updating the counters with the snapshot +values after exiting the loop. + +(Also add a newline at the end of this file...) + +Fixes: 192c4b5d48f2a ("net: qualcomm: rmnet: Add support for 64 bit stats") +Signed-off-by: Alex Elder +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + .../net/ethernet/qualcomm/rmnet/rmnet_vnd.c | 18 +++++++++--------- + 1 file changed, 9 insertions(+), 9 deletions(-) + +diff --git a/drivers/net/ethernet/qualcomm/rmnet/rmnet_vnd.c b/drivers/net/ethernet/qualcomm/rmnet/rmnet_vnd.c +index 6cf46f893fb9..2adcf24848a4 100644 +--- a/drivers/net/ethernet/qualcomm/rmnet/rmnet_vnd.c ++++ b/drivers/net/ethernet/qualcomm/rmnet/rmnet_vnd.c +@@ -125,24 +125,24 @@ static void rmnet_get_stats64(struct net_device *dev, + struct rtnl_link_stats64 *s) + { + struct rmnet_priv *priv = netdev_priv(dev); +- struct rmnet_vnd_stats total_stats; ++ struct rmnet_vnd_stats total_stats = { }; + struct rmnet_pcpu_stats *pcpu_ptr; ++ struct rmnet_vnd_stats snapshot; + unsigned int cpu, start; + +- memset(&total_stats, 0, sizeof(struct rmnet_vnd_stats)); +- + for_each_possible_cpu(cpu) { + pcpu_ptr = per_cpu_ptr(priv->pcpu_stats, cpu); + + do { + start = u64_stats_fetch_begin_irq(&pcpu_ptr->syncp); +- total_stats.rx_pkts += pcpu_ptr->stats.rx_pkts; +- total_stats.rx_bytes += pcpu_ptr->stats.rx_bytes; +- total_stats.tx_pkts += pcpu_ptr->stats.tx_pkts; +- total_stats.tx_bytes += pcpu_ptr->stats.tx_bytes; ++ snapshot = pcpu_ptr->stats; /* struct assignment */ + } while (u64_stats_fetch_retry_irq(&pcpu_ptr->syncp, start)); + +- total_stats.tx_drops += pcpu_ptr->stats.tx_drops; ++ total_stats.rx_pkts += snapshot.rx_pkts; ++ total_stats.rx_bytes += snapshot.rx_bytes; ++ total_stats.tx_pkts += snapshot.tx_pkts; ++ total_stats.tx_bytes += snapshot.tx_bytes; ++ total_stats.tx_drops += snapshot.tx_drops; + } + + s->rx_packets = total_stats.rx_pkts; +@@ -353,4 +353,4 @@ int rmnet_vnd_update_dev_mtu(struct rmnet_port *port, + } + + return 0; +-} +\ No newline at end of file ++} +-- +2.30.2 + diff --git a/queue-5.10/net-qualcomm-rmnet-update-rmnet-device-mtu-based-on-.patch b/queue-5.10/net-qualcomm-rmnet-update-rmnet-device-mtu-based-on-.patch new file mode 100644 index 00000000000..807c47d004a --- /dev/null +++ b/queue-5.10/net-qualcomm-rmnet-update-rmnet-device-mtu-based-on-.patch @@ -0,0 +1,206 @@ +From 223b21268a13bb5bedeeda9e025597bc420ea5ca Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Dec 2020 22:51:46 -0700 +Subject: net: qualcomm: rmnet: Update rmnet device MTU based on real device + +From: Subash Abhinov Kasiviswanathan + +[ Upstream commit b7f5eb6ba21b0b54b04918fc9df13309ff3c67b8 ] + +Packets sent by rmnet to the real device have variable MAP header +lengths based on the data format configured. This patch adds checks +to ensure that the real device MTU is sufficient to transmit the MAP +packet comprising of the MAP header and the IP packet. This check +is enforced when rmnet devices are created and updated and during +MTU updates of both the rmnet and real device. + +Additionally, rmnet devices now have a default MTU configured which +accounts for the real device MTU and the headroom based on the data +format. + +Signed-off-by: Sean Tranchetti +Signed-off-by: Subash Abhinov Kasiviswanathan +Tested-by: Loic Poulain +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + .../ethernet/qualcomm/rmnet/rmnet_config.c | 15 +++- + .../ethernet/qualcomm/rmnet/rmnet_config.h | 2 + + .../net/ethernet/qualcomm/rmnet/rmnet_vnd.c | 73 ++++++++++++++++++- + .../net/ethernet/qualcomm/rmnet/rmnet_vnd.h | 3 + + 4 files changed, 90 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/qualcomm/rmnet/rmnet_config.c b/drivers/net/ethernet/qualcomm/rmnet/rmnet_config.c +index fcdecddb2812..8d51b0cb545c 100644 +--- a/drivers/net/ethernet/qualcomm/rmnet/rmnet_config.c ++++ b/drivers/net/ethernet/qualcomm/rmnet/rmnet_config.c +@@ -26,7 +26,7 @@ static int rmnet_is_real_dev_registered(const struct net_device *real_dev) + } + + /* Needs rtnl lock */ +-static struct rmnet_port* ++struct rmnet_port* + rmnet_get_port_rtnl(const struct net_device *real_dev) + { + return rtnl_dereference(real_dev->rx_handler_data); +@@ -253,7 +253,10 @@ static int rmnet_config_notify_cb(struct notifier_block *nb, + netdev_dbg(real_dev, "Kernel unregister\n"); + rmnet_force_unassociate_device(real_dev); + break; +- ++ case NETDEV_CHANGEMTU: ++ if (rmnet_vnd_validate_real_dev_mtu(real_dev)) ++ return NOTIFY_BAD; ++ break; + default: + break; + } +@@ -329,9 +332,17 @@ static int rmnet_changelink(struct net_device *dev, struct nlattr *tb[], + + if (data[IFLA_RMNET_FLAGS]) { + struct ifla_rmnet_flags *flags; ++ u32 old_data_format; + ++ old_data_format = port->data_format; + flags = nla_data(data[IFLA_RMNET_FLAGS]); + port->data_format = flags->flags & flags->mask; ++ ++ if (rmnet_vnd_update_dev_mtu(port, real_dev)) { ++ port->data_format = old_data_format; ++ NL_SET_ERR_MSG_MOD(extack, "Invalid MTU on real dev"); ++ return -EINVAL; ++ } + } + + return 0; +diff --git a/drivers/net/ethernet/qualcomm/rmnet/rmnet_config.h b/drivers/net/ethernet/qualcomm/rmnet/rmnet_config.h +index be515982d628..8d8d4690a074 100644 +--- a/drivers/net/ethernet/qualcomm/rmnet/rmnet_config.h ++++ b/drivers/net/ethernet/qualcomm/rmnet/rmnet_config.h +@@ -73,4 +73,6 @@ int rmnet_add_bridge(struct net_device *rmnet_dev, + struct netlink_ext_ack *extack); + int rmnet_del_bridge(struct net_device *rmnet_dev, + struct net_device *slave_dev); ++struct rmnet_port* ++rmnet_get_port_rtnl(const struct net_device *real_dev); + #endif /* _RMNET_CONFIG_H_ */ +diff --git a/drivers/net/ethernet/qualcomm/rmnet/rmnet_vnd.c b/drivers/net/ethernet/qualcomm/rmnet/rmnet_vnd.c +index d58b51d277f1..6cf46f893fb9 100644 +--- a/drivers/net/ethernet/qualcomm/rmnet/rmnet_vnd.c ++++ b/drivers/net/ethernet/qualcomm/rmnet/rmnet_vnd.c +@@ -58,9 +58,30 @@ static netdev_tx_t rmnet_vnd_start_xmit(struct sk_buff *skb, + return NETDEV_TX_OK; + } + ++static int rmnet_vnd_headroom(struct rmnet_port *port) ++{ ++ u32 headroom; ++ ++ headroom = sizeof(struct rmnet_map_header); ++ ++ if (port->data_format & RMNET_FLAGS_EGRESS_MAP_CKSUMV4) ++ headroom += sizeof(struct rmnet_map_ul_csum_header); ++ ++ return headroom; ++} ++ + static int rmnet_vnd_change_mtu(struct net_device *rmnet_dev, int new_mtu) + { +- if (new_mtu < 0 || new_mtu > RMNET_MAX_PACKET_SIZE) ++ struct rmnet_priv *priv = netdev_priv(rmnet_dev); ++ struct rmnet_port *port; ++ u32 headroom; ++ ++ port = rmnet_get_port_rtnl(priv->real_dev); ++ ++ headroom = rmnet_vnd_headroom(port); ++ ++ if (new_mtu < 0 || new_mtu > RMNET_MAX_PACKET_SIZE || ++ new_mtu > (priv->real_dev->mtu - headroom)) + return -EINVAL; + + rmnet_dev->mtu = new_mtu; +@@ -229,6 +250,7 @@ int rmnet_vnd_newlink(u8 id, struct net_device *rmnet_dev, + + { + struct rmnet_priv *priv = netdev_priv(rmnet_dev); ++ u32 headroom; + int rc; + + if (rmnet_get_endpoint(port, id)) { +@@ -242,6 +264,13 @@ int rmnet_vnd_newlink(u8 id, struct net_device *rmnet_dev, + + priv->real_dev = real_dev; + ++ headroom = rmnet_vnd_headroom(port); ++ ++ if (rmnet_vnd_change_mtu(rmnet_dev, real_dev->mtu - headroom)) { ++ NL_SET_ERR_MSG_MOD(extack, "Invalid MTU on real dev"); ++ return -EINVAL; ++ } ++ + rc = register_netdevice(rmnet_dev); + if (!rc) { + ep->egress_dev = rmnet_dev; +@@ -283,3 +312,45 @@ int rmnet_vnd_do_flow_control(struct net_device *rmnet_dev, int enable) + + return 0; + } ++ ++int rmnet_vnd_validate_real_dev_mtu(struct net_device *real_dev) ++{ ++ struct hlist_node *tmp_ep; ++ struct rmnet_endpoint *ep; ++ struct rmnet_port *port; ++ unsigned long bkt_ep; ++ u32 headroom; ++ ++ port = rmnet_get_port_rtnl(real_dev); ++ ++ headroom = rmnet_vnd_headroom(port); ++ ++ hash_for_each_safe(port->muxed_ep, bkt_ep, tmp_ep, ep, hlnode) { ++ if (ep->egress_dev->mtu > (real_dev->mtu - headroom)) ++ return -1; ++ } ++ ++ return 0; ++} ++ ++int rmnet_vnd_update_dev_mtu(struct rmnet_port *port, ++ struct net_device *real_dev) ++{ ++ struct hlist_node *tmp_ep; ++ struct rmnet_endpoint *ep; ++ unsigned long bkt_ep; ++ u32 headroom; ++ ++ headroom = rmnet_vnd_headroom(port); ++ ++ hash_for_each_safe(port->muxed_ep, bkt_ep, tmp_ep, ep, hlnode) { ++ if (ep->egress_dev->mtu <= (real_dev->mtu - headroom)) ++ continue; ++ ++ if (rmnet_vnd_change_mtu(ep->egress_dev, ++ real_dev->mtu - headroom)) ++ return -1; ++ } ++ ++ return 0; ++} +\ No newline at end of file +diff --git a/drivers/net/ethernet/qualcomm/rmnet/rmnet_vnd.h b/drivers/net/ethernet/qualcomm/rmnet/rmnet_vnd.h +index 4967f3461ed1..dc3a4443ef0a 100644 +--- a/drivers/net/ethernet/qualcomm/rmnet/rmnet_vnd.h ++++ b/drivers/net/ethernet/qualcomm/rmnet/rmnet_vnd.h +@@ -18,4 +18,7 @@ int rmnet_vnd_dellink(u8 id, struct rmnet_port *port, + void rmnet_vnd_rx_fixup(struct sk_buff *skb, struct net_device *dev); + void rmnet_vnd_tx_fixup(struct sk_buff *skb, struct net_device *dev); + void rmnet_vnd_setup(struct net_device *dev); ++int rmnet_vnd_validate_real_dev_mtu(struct net_device *real_dev); ++int rmnet_vnd_update_dev_mtu(struct rmnet_port *port, ++ struct net_device *real_dev); + #endif /* _RMNET_VND_H_ */ +-- +2.30.2 + diff --git a/queue-5.10/net-rds-fix-memory-leak-in-rds_recvmsg.patch b/queue-5.10/net-rds-fix-memory-leak-in-rds_recvmsg.patch new file mode 100644 index 00000000000..24fb863aafd --- /dev/null +++ b/queue-5.10/net-rds-fix-memory-leak-in-rds_recvmsg.patch @@ -0,0 +1,73 @@ +From 1ee076a2d22aa19a0a934dd8a16bfe25abe97e44 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Jun 2021 11:06:41 +0300 +Subject: net: rds: fix memory leak in rds_recvmsg +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Pavel Skripkin + +[ Upstream commit 49bfcbfd989a8f1f23e705759a6bb099de2cff9f ] + +Syzbot reported memory leak in rds. The problem +was in unputted refcount in case of error. + +int rds_recvmsg(struct socket *sock, struct msghdr *msg, size_t size, + int msg_flags) +{ +... + + if (!rds_next_incoming(rs, &inc)) { + ... + } + +After this "if" inc refcount incremented and + + if (rds_cmsg_recv(inc, msg, rs)) { + ret = -EFAULT; + goto out; + } +... +out: + return ret; +} + +in case of rds_cmsg_recv() fail the refcount won't be +decremented. And it's easy to see from ftrace log, that +rds_inc_addref() don't have rds_inc_put() pair in +rds_recvmsg() after rds_cmsg_recv() + + 1) | rds_recvmsg() { + 1) 3.721 us | rds_inc_addref(); + 1) 3.853 us | rds_message_inc_copy_to_user(); + 1) + 10.395 us | rds_cmsg_recv(); + 1) + 34.260 us | } + +Fixes: bdbe6fbc6a2f ("RDS: recv.c") +Reported-and-tested-by: syzbot+5134cdf021c4ed5aaa5f@syzkaller.appspotmail.com +Signed-off-by: Pavel Skripkin +Reviewed-by: Håkon Bugge +Acked-by: Santosh Shilimkar +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/rds/recv.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/rds/recv.c b/net/rds/recv.c +index aba4afe4dfed..967d115f97ef 100644 +--- a/net/rds/recv.c ++++ b/net/rds/recv.c +@@ -714,7 +714,7 @@ int rds_recvmsg(struct socket *sock, struct msghdr *msg, size_t size, + + if (rds_cmsg_recv(inc, msg, rs)) { + ret = -EFAULT; +- goto out; ++ break; + } + rds_recvmsg_zcookie(rs, msg); + +-- +2.30.2 + diff --git a/queue-5.10/net-sched-act_ct-handle-dnat-tuple-collision.patch b/queue-5.10/net-sched-act_ct-handle-dnat-tuple-collision.patch new file mode 100644 index 00000000000..be7a21d2457 --- /dev/null +++ b/queue-5.10/net-sched-act_ct-handle-dnat-tuple-collision.patch @@ -0,0 +1,67 @@ +From 3a28f7fdcfccead00ede94c5dd8dc4837d197a3b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Jun 2021 11:23:56 -0300 +Subject: net/sched: act_ct: handle DNAT tuple collision + +From: Marcelo Ricardo Leitner + +[ Upstream commit 13c62f5371e3eb4fc3400cfa26e64ca75f888008 ] + +This this the counterpart of 8aa7b526dc0b ("openvswitch: handle DNAT +tuple collision") for act_ct. From that commit changelog: + +""" +With multiple DNAT rules it's possible that after destination +translation the resulting tuples collide. + +... + +Netfilter handles this case by allocating a null binding for SNAT at +egress by default. Perform the same operation in openvswitch for DNAT +if no explicit SNAT is requested by the user and allocate a null binding +for SNAT for packets in the "original" direction. +""" + +Fixes: 95219afbb980 ("act_ct: support asymmetric conntrack") +Signed-off-by: Marcelo Ricardo Leitner +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/sched/act_ct.c | 21 +++++++++++++-------- + 1 file changed, 13 insertions(+), 8 deletions(-) + +diff --git a/net/sched/act_ct.c b/net/sched/act_ct.c +index 315a5b2f3add..7ef074c6dd16 100644 +--- a/net/sched/act_ct.c ++++ b/net/sched/act_ct.c +@@ -900,14 +900,19 @@ static int tcf_ct_act_nat(struct sk_buff *skb, + } + + err = ct_nat_execute(skb, ct, ctinfo, range, maniptype); +- if (err == NF_ACCEPT && +- ct->status & IPS_SRC_NAT && ct->status & IPS_DST_NAT) { +- if (maniptype == NF_NAT_MANIP_SRC) +- maniptype = NF_NAT_MANIP_DST; +- else +- maniptype = NF_NAT_MANIP_SRC; +- +- err = ct_nat_execute(skb, ct, ctinfo, range, maniptype); ++ if (err == NF_ACCEPT && ct->status & IPS_DST_NAT) { ++ if (ct->status & IPS_SRC_NAT) { ++ if (maniptype == NF_NAT_MANIP_SRC) ++ maniptype = NF_NAT_MANIP_DST; ++ else ++ maniptype = NF_NAT_MANIP_SRC; ++ ++ err = ct_nat_execute(skb, ct, ctinfo, range, ++ maniptype); ++ } else if (CTINFO2DIR(ctinfo) == IP_CT_DIR_ORIGINAL) { ++ err = ct_nat_execute(skb, ct, ctinfo, NULL, ++ NF_NAT_MANIP_SRC); ++ } + } + return err; + #else +-- +2.30.2 + diff --git a/queue-5.10/net-stmmac-dwmac1000-fix-extended-mac-address-regist.patch b/queue-5.10/net-stmmac-dwmac1000-fix-extended-mac-address-regist.patch new file mode 100644 index 00000000000..6da4240ad9a --- /dev/null +++ b/queue-5.10/net-stmmac-dwmac1000-fix-extended-mac-address-regist.patch @@ -0,0 +1,42 @@ +From 6a0441876b4b69e427bcc6ad67b75eb95d6ef5ef Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Jun 2021 15:16:11 +0800 +Subject: net: stmmac: dwmac1000: Fix extended MAC address registers definition + +From: Jisheng Zhang + +[ Upstream commit 1adb20f0d496b2c61e9aa1f4761b8d71f93d258e ] + +The register starts from 0x800 is the 16th MAC address register rather +than the first one. + +Fixes: cffb13f4d6fb ("stmmac: extend mac addr reg and fix perfect filering") +Signed-off-by: Jisheng Zhang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/stmicro/stmmac/dwmac1000.h | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac1000.h b/drivers/net/ethernet/stmicro/stmmac/dwmac1000.h +index b70d44ac0990..3c73453725f9 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/dwmac1000.h ++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac1000.h +@@ -76,10 +76,10 @@ enum power_event { + #define LPI_CTRL_STATUS_TLPIEN 0x00000001 /* Transmit LPI Entry */ + + /* GMAC HW ADDR regs */ +-#define GMAC_ADDR_HIGH(reg) (((reg > 15) ? 0x00000800 : 0x00000040) + \ +- (reg * 8)) +-#define GMAC_ADDR_LOW(reg) (((reg > 15) ? 0x00000804 : 0x00000044) + \ +- (reg * 8)) ++#define GMAC_ADDR_HIGH(reg) ((reg > 15) ? 0x00000800 + (reg - 16) * 8 : \ ++ 0x00000040 + (reg * 8)) ++#define GMAC_ADDR_LOW(reg) ((reg > 15) ? 0x00000804 + (reg - 16) * 8 : \ ++ 0x00000044 + (reg * 8)) + #define GMAC_MAX_PERFECT_ADDRESSES 1 + + #define GMAC_PCS_BASE 0x000000c0 /* PCS register base */ +-- +2.30.2 + diff --git a/queue-5.10/net-usb-fix-possible-use-after-free-in-smsc75xx_bind.patch b/queue-5.10/net-usb-fix-possible-use-after-free-in-smsc75xx_bind.patch new file mode 100644 index 00000000000..8a1cef9f271 --- /dev/null +++ b/queue-5.10/net-usb-fix-possible-use-after-free-in-smsc75xx_bind.patch @@ -0,0 +1,72 @@ +From 9fe71a66efb773c288a90fefb9b0892e8ae05a31 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Jun 2021 10:48:33 +0800 +Subject: net: usb: fix possible use-after-free in smsc75xx_bind + +From: Dongliang Mu + +[ Upstream commit 56b786d86694e079d8aad9b314e015cd4ac02a3d ] + +The commit 46a8b29c6306 ("net: usb: fix memory leak in smsc75xx_bind") +fails to clean up the work scheduled in smsc75xx_reset-> +smsc75xx_set_multicast, which leads to use-after-free if the work is +scheduled to start after the deallocation. In addition, this patch +also removes a dangling pointer - dev->data[0]. + +This patch calls cancel_work_sync to cancel the scheduled work and set +the dangling pointer to NULL. + +Fixes: 46a8b29c6306 ("net: usb: fix memory leak in smsc75xx_bind") +Signed-off-by: Dongliang Mu +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/usb/smsc75xx.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/usb/smsc75xx.c b/drivers/net/usb/smsc75xx.c +index d44657b54d2b..378a12ae2d95 100644 +--- a/drivers/net/usb/smsc75xx.c ++++ b/drivers/net/usb/smsc75xx.c +@@ -1483,7 +1483,7 @@ static int smsc75xx_bind(struct usbnet *dev, struct usb_interface *intf) + ret = smsc75xx_wait_ready(dev, 0); + if (ret < 0) { + netdev_warn(dev->net, "device not ready in smsc75xx_bind\n"); +- goto err; ++ goto free_pdata; + } + + smsc75xx_init_mac_address(dev); +@@ -1492,7 +1492,7 @@ static int smsc75xx_bind(struct usbnet *dev, struct usb_interface *intf) + ret = smsc75xx_reset(dev); + if (ret < 0) { + netdev_warn(dev->net, "smsc75xx_reset error %d\n", ret); +- goto err; ++ goto cancel_work; + } + + dev->net->netdev_ops = &smsc75xx_netdev_ops; +@@ -1503,8 +1503,11 @@ static int smsc75xx_bind(struct usbnet *dev, struct usb_interface *intf) + dev->net->max_mtu = MAX_SINGLE_PACKET_SIZE; + return 0; + +-err: ++cancel_work: ++ cancel_work_sync(&pdata->set_multicast); ++free_pdata: + kfree(pdata); ++ dev->data[0] = 0; + return ret; + } + +@@ -1515,7 +1518,6 @@ static void smsc75xx_unbind(struct usbnet *dev, struct usb_interface *intf) + cancel_work_sync(&pdata->set_multicast); + netif_dbg(dev, ifdown, dev->net, "free pdata\n"); + kfree(pdata); +- pdata = NULL; + dev->data[0] = 0; + } + } +-- +2.30.2 + diff --git a/queue-5.10/netfilter-nft_fib_ipv6-skip-ipv6-packets-from-any-to.patch b/queue-5.10/netfilter-nft_fib_ipv6-skip-ipv6-packets-from-any-to.patch new file mode 100644 index 00000000000..03ec6e4f40b --- /dev/null +++ b/queue-5.10/netfilter-nft_fib_ipv6-skip-ipv6-packets-from-any-to.patch @@ -0,0 +1,69 @@ +From f3fcd25287fe8f26fc49cc960396543fa7db779b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Jun 2021 13:48:18 +0200 +Subject: netfilter: nft_fib_ipv6: skip ipv6 packets from any to link-local + +From: Florian Westphal + +[ Upstream commit 12f36e9bf678a81d030ca1b693dcda62b55af7c5 ] + +The ip6tables rpfilter match has an extra check to skip packets with +"::" source address. + +Extend this to ipv6 fib expression. Else ipv6 duplicate address detection +packets will fail rpf route check -- lookup returns -ENETUNREACH. + +While at it, extend the prerouting check to also cover the ingress hook. + +Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1543 +Fixes: f6d0cbcf09c5 ("netfilter: nf_tables: add fib expression") +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/ipv6/netfilter/nft_fib_ipv6.c | 22 ++++++++++++++++++---- + 1 file changed, 18 insertions(+), 4 deletions(-) + +diff --git a/net/ipv6/netfilter/nft_fib_ipv6.c b/net/ipv6/netfilter/nft_fib_ipv6.c +index e204163c7036..92f3235fa287 100644 +--- a/net/ipv6/netfilter/nft_fib_ipv6.c ++++ b/net/ipv6/netfilter/nft_fib_ipv6.c +@@ -135,6 +135,17 @@ void nft_fib6_eval_type(const struct nft_expr *expr, struct nft_regs *regs, + } + EXPORT_SYMBOL_GPL(nft_fib6_eval_type); + ++static bool nft_fib_v6_skip_icmpv6(const struct sk_buff *skb, u8 next, const struct ipv6hdr *iph) ++{ ++ if (likely(next != IPPROTO_ICMPV6)) ++ return false; ++ ++ if (ipv6_addr_type(&iph->saddr) != IPV6_ADDR_ANY) ++ return false; ++ ++ return ipv6_addr_type(&iph->daddr) & IPV6_ADDR_LINKLOCAL; ++} ++ + void nft_fib6_eval(const struct nft_expr *expr, struct nft_regs *regs, + const struct nft_pktinfo *pkt) + { +@@ -163,10 +174,13 @@ void nft_fib6_eval(const struct nft_expr *expr, struct nft_regs *regs, + + lookup_flags = nft_fib6_flowi_init(&fl6, priv, pkt, oif, iph); + +- if (nft_hook(pkt) == NF_INET_PRE_ROUTING && +- nft_fib_is_loopback(pkt->skb, nft_in(pkt))) { +- nft_fib_store_result(dest, priv, nft_in(pkt)); +- return; ++ if (nft_hook(pkt) == NF_INET_PRE_ROUTING || ++ nft_hook(pkt) == NF_INET_INGRESS) { ++ if (nft_fib_is_loopback(pkt->skb, nft_in(pkt)) || ++ nft_fib_v6_skip_icmpv6(pkt->skb, pkt->tprot, iph)) { ++ nft_fib_store_result(dest, priv, nft_in(pkt)); ++ return; ++ } + } + + *dest = 0; +-- +2.30.2 + diff --git a/queue-5.10/netfilter-synproxy-fix-out-of-bounds-when-parsing-tc.patch b/queue-5.10/netfilter-synproxy-fix-out-of-bounds-when-parsing-tc.patch new file mode 100644 index 00000000000..5f9afc28412 --- /dev/null +++ b/queue-5.10/netfilter-synproxy-fix-out-of-bounds-when-parsing-tc.patch @@ -0,0 +1,59 @@ +From d3319451cd5c664434ea200a76c6192a92e3fdf5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Jun 2021 19:40:29 +0300 +Subject: netfilter: synproxy: Fix out of bounds when parsing TCP options + +From: Maxim Mikityanskiy + +[ Upstream commit 5fc177ab759418c9537433e63301096e733fb915 ] + +The TCP option parser in synproxy (synproxy_parse_options) could read +one byte out of bounds. When the length is 1, the execution flow gets +into the loop, reads one byte of the opcode, and if the opcode is +neither TCPOPT_EOL nor TCPOPT_NOP, it reads one more byte, which exceeds +the length of 1. + +This fix is inspired by commit 9609dad263f8 ("ipv4: tcp_input: fix stack +out of bounds when parsing TCP options."). + +v2 changes: + +Added an early return when length < 0 to avoid calling +skb_header_pointer with negative length. + +Cc: Young Xiao <92siuyang@gmail.com> +Fixes: 48b1de4c110a ("netfilter: add SYNPROXY core/target") +Signed-off-by: Maxim Mikityanskiy +Reviewed-by: Florian Westphal +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_synproxy_core.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/net/netfilter/nf_synproxy_core.c b/net/netfilter/nf_synproxy_core.c +index d7d34a62d3bf..2fc4ae960769 100644 +--- a/net/netfilter/nf_synproxy_core.c ++++ b/net/netfilter/nf_synproxy_core.c +@@ -31,6 +31,9 @@ synproxy_parse_options(const struct sk_buff *skb, unsigned int doff, + int length = (th->doff * 4) - sizeof(*th); + u8 buf[40], *ptr; + ++ if (unlikely(length < 0)) ++ return false; ++ + ptr = skb_header_pointer(skb, doff + sizeof(*th), length, buf); + if (ptr == NULL) + return false; +@@ -47,6 +50,8 @@ synproxy_parse_options(const struct sk_buff *skb, unsigned int doff, + length--; + continue; + default: ++ if (length < 2) ++ return true; + opsize = *ptr++; + if (opsize < 2) + return true; +-- +2.30.2 + diff --git a/queue-5.10/netxen_nic-fix-an-error-handling-path-in-netxen_nic_.patch b/queue-5.10/netxen_nic-fix-an-error-handling-path-in-netxen_nic_.patch new file mode 100644 index 00000000000..14bb49ffeac --- /dev/null +++ b/queue-5.10/netxen_nic-fix-an-error-handling-path-in-netxen_nic_.patch @@ -0,0 +1,37 @@ +From 78b62724d8a011ccea3a88670090ecf83cac6e25 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 12 Jun 2021 14:53:12 +0200 +Subject: netxen_nic: Fix an error handling path in 'netxen_nic_probe()' + +From: Christophe JAILLET + +[ Upstream commit 49a10c7b176295f8fafb338911cf028e97f65f4d ] + +If an error occurs after a 'pci_enable_pcie_error_reporting()' call, it +must be undone by a corresponding 'pci_disable_pcie_error_reporting()' +call, as already done in the remove function. + +Fixes: e87ad5539343 ("netxen: support pci error handlers") +Signed-off-by: Christophe JAILLET +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/qlogic/netxen/netxen_nic_main.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/ethernet/qlogic/netxen/netxen_nic_main.c b/drivers/net/ethernet/qlogic/netxen/netxen_nic_main.c +index d258e0ccf946..e2046b6d65a3 100644 +--- a/drivers/net/ethernet/qlogic/netxen/netxen_nic_main.c ++++ b/drivers/net/ethernet/qlogic/netxen/netxen_nic_main.c +@@ -1602,6 +1602,8 @@ err_out_free_netdev: + free_netdev(netdev); + + err_out_free_res: ++ if (NX_IS_REVISION_P3(pdev->revision)) ++ pci_disable_pcie_error_reporting(pdev); + pci_release_regions(pdev); + + err_out_disable_pdev: +-- +2.30.2 + diff --git a/queue-5.10/ptp-improve-max_adj-check-against-unreasonable-value.patch b/queue-5.10/ptp-improve-max_adj-check-against-unreasonable-value.patch new file mode 100644 index 00000000000..ad93ac404db --- /dev/null +++ b/queue-5.10/ptp-improve-max_adj-check-against-unreasonable-value.patch @@ -0,0 +1,80 @@ +From b4cbe95007c89435255cb5e0b787b210b0ab0c9c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Jun 2021 15:24:05 -0700 +Subject: ptp: improve max_adj check against unreasonable values + +From: Jakub Kicinski + +[ Upstream commit 475b92f932168a78da8109acd10bfb7578b8f2bb ] + +Scaled PPM conversion to PPB may (on 64bit systems) result +in a value larger than s32 can hold (freq/scaled_ppm is a long). +This means the kernel will not correctly reject unreasonably +high ->freq values (e.g. > 4294967295ppb, 281474976645 scaled PPM). + +The conversion is equivalent to a division by ~66 (65.536), +so the value of ppb is always smaller than ppm, but not small +enough to assume narrowing the type from long -> s32 is okay. + +Note that reasonable user space (e.g. ptp4l) will not use such +high values, anyway, 4289046510ppb ~= 4.3x, so the fix is +somewhat pedantic. + +Fixes: d39a743511cd ("ptp: validate the requested frequency adjustment.") +Fixes: d94ba80ebbea ("ptp: Added a brand new class driver for ptp clocks.") +Signed-off-by: Jakub Kicinski +Acked-by: Richard Cochran +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/ptp/ptp_clock.c | 6 +++--- + include/linux/ptp_clock_kernel.h | 2 +- + 2 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/ptp/ptp_clock.c b/drivers/ptp/ptp_clock.c +index 03a246e60fd9..21c4c34c52d8 100644 +--- a/drivers/ptp/ptp_clock.c ++++ b/drivers/ptp/ptp_clock.c +@@ -63,7 +63,7 @@ static void enqueue_external_timestamp(struct timestamp_event_queue *queue, + spin_unlock_irqrestore(&queue->lock, flags); + } + +-s32 scaled_ppm_to_ppb(long ppm) ++long scaled_ppm_to_ppb(long ppm) + { + /* + * The 'freq' field in the 'struct timex' is in parts per +@@ -80,7 +80,7 @@ s32 scaled_ppm_to_ppb(long ppm) + s64 ppb = 1 + ppm; + ppb *= 125; + ppb >>= 13; +- return (s32) ppb; ++ return (long) ppb; + } + EXPORT_SYMBOL(scaled_ppm_to_ppb); + +@@ -138,7 +138,7 @@ static int ptp_clock_adjtime(struct posix_clock *pc, struct __kernel_timex *tx) + delta = ktime_to_ns(kt); + err = ops->adjtime(ops, delta); + } else if (tx->modes & ADJ_FREQUENCY) { +- s32 ppb = scaled_ppm_to_ppb(tx->freq); ++ long ppb = scaled_ppm_to_ppb(tx->freq); + if (ppb > ops->max_adj || ppb < -ops->max_adj) + return -ERANGE; + if (ops->adjfine) +diff --git a/include/linux/ptp_clock_kernel.h b/include/linux/ptp_clock_kernel.h +index d3e8ba5c7125..6d6b42143eff 100644 +--- a/include/linux/ptp_clock_kernel.h ++++ b/include/linux/ptp_clock_kernel.h +@@ -222,7 +222,7 @@ extern int ptp_clock_index(struct ptp_clock *ptp); + * @ppm: Parts per million, but with a 16 bit binary fractional field + */ + +-extern s32 scaled_ppm_to_ppb(long ppm); ++extern long scaled_ppm_to_ppb(long ppm); + + /** + * ptp_find_pin() - obtain the pin index of a given auxiliary function +-- +2.30.2 + diff --git a/queue-5.10/qlcnic-fix-an-error-handling-path-in-qlcnic_probe.patch b/queue-5.10/qlcnic-fix-an-error-handling-path-in-qlcnic_probe.patch new file mode 100644 index 00000000000..66f933fa091 --- /dev/null +++ b/queue-5.10/qlcnic-fix-an-error-handling-path-in-qlcnic_probe.patch @@ -0,0 +1,36 @@ +From b1ed1462a1e14aed2afb010d439cbdbd9c430e81 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 12 Jun 2021 14:37:46 +0200 +Subject: qlcnic: Fix an error handling path in 'qlcnic_probe()' + +From: Christophe JAILLET + +[ Upstream commit cb3376604a676e0302258b01893911bdd7aa5278 ] + +If an error occurs after a 'pci_enable_pcie_error_reporting()' call, it +must be undone by a corresponding 'pci_disable_pcie_error_reporting()' +call, as already done in the remove function. + +Fixes: 451724c821c1 ("qlcnic: aer support") +Signed-off-by: Christophe JAILLET +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/qlogic/qlcnic/qlcnic_main.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_main.c b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_main.c +index c2faf96fcade..27c07b2412f4 100644 +--- a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_main.c ++++ b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_main.c +@@ -2692,6 +2692,7 @@ err_out_free_hw_res: + kfree(ahw); + + err_out_free_res: ++ pci_disable_pcie_error_reporting(pdev); + pci_release_regions(pdev); + + err_out_disable_pdev: +-- +2.30.2 + diff --git a/queue-5.10/rtnetlink-fix-regression-in-bridge-vlan-configuratio.patch b/queue-5.10/rtnetlink-fix-regression-in-bridge-vlan-configuratio.patch new file mode 100644 index 00000000000..d3c2d21e15a --- /dev/null +++ b/queue-5.10/rtnetlink-fix-regression-in-bridge-vlan-configuratio.patch @@ -0,0 +1,55 @@ +From 2b959cc4c98724422fac986628a29ffc4a153fbe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Jun 2021 14:17:53 +0300 +Subject: rtnetlink: Fix regression in bridge VLAN configuration + +From: Ido Schimmel + +[ Upstream commit d2e381c4963663bca6f30c3b996fa4dbafe8fcb5 ] + +Cited commit started returning errors when notification info is not +filled by the bridge driver, resulting in the following regression: + + # ip link add name br1 type bridge vlan_filtering 1 + # bridge vlan add dev br1 vid 555 self pvid untagged + RTNETLINK answers: Invalid argument + +As long as the bridge driver does not fill notification info for the +bridge device itself, an empty notification should not be considered as +an error. This is explained in commit 59ccaaaa49b5 ("bridge: dont send +notification when skb->len == 0 in rtnl_bridge_notify"). + +Fix by removing the error and add a comment to avoid future bugs. + +Fixes: a8db57c1d285 ("rtnetlink: Fix missing error code in rtnl_bridge_notify()") +Signed-off-by: Ido Schimmel +Reviewed-by: Nikolay Aleksandrov +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/core/rtnetlink.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c +index 83894723ebee..dd4659246405 100644 +--- a/net/core/rtnetlink.c ++++ b/net/core/rtnetlink.c +@@ -4842,10 +4842,12 @@ static int rtnl_bridge_notify(struct net_device *dev) + if (err < 0) + goto errout; + +- if (!skb->len) { +- err = -EINVAL; ++ /* Notification info is only filled for bridge ports, not the bridge ++ * device itself. Therefore, a zero notification length is valid and ++ * should not result in an error. ++ */ ++ if (!skb->len) + goto errout; +- } + + rtnl_notify(skb, net, 0, RTNLGRP_LINK, NULL, GFP_ATOMIC); + return 0; +-- +2.30.2 + diff --git a/queue-5.10/sch_cake-fix-out-of-bounds-when-parsing-tcp-options-.patch b/queue-5.10/sch_cake-fix-out-of-bounds-when-parsing-tcp-options-.patch new file mode 100644 index 00000000000..c0a32a09b19 --- /dev/null +++ b/queue-5.10/sch_cake-fix-out-of-bounds-when-parsing-tcp-options-.patch @@ -0,0 +1,72 @@ +From bb56fb75f90e6087c9bfa04ca678432ffc0902e3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Jun 2021 19:40:31 +0300 +Subject: sch_cake: Fix out of bounds when parsing TCP options and header +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Maxim Mikityanskiy + +[ Upstream commit ba91c49dedbde758ba0b72f57ac90b06ddf8e548 ] + +The TCP option parser in cake qdisc (cake_get_tcpopt and +cake_tcph_may_drop) could read one byte out of bounds. When the length +is 1, the execution flow gets into the loop, reads one byte of the +opcode, and if the opcode is neither TCPOPT_EOL nor TCPOPT_NOP, it reads +one more byte, which exceeds the length of 1. + +This fix is inspired by commit 9609dad263f8 ("ipv4: tcp_input: fix stack +out of bounds when parsing TCP options."). + +v2 changes: + +Added doff validation in cake_get_tcphdr to avoid parsing garbage as TCP +header. Although it wasn't strictly an out-of-bounds access (memory was +allocated), garbage values could be read where CAKE expected the TCP +header if doff was smaller than 5. + +Cc: Young Xiao <92siuyang@gmail.com> +Fixes: 8b7138814f29 ("sch_cake: Add optional ACK filter") +Signed-off-by: Maxim Mikityanskiy +Acked-by: Toke Høiland-Jørgensen +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/sched/sch_cake.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/net/sched/sch_cake.c b/net/sched/sch_cake.c +index 7d37638ee1c7..5c15968b5155 100644 +--- a/net/sched/sch_cake.c ++++ b/net/sched/sch_cake.c +@@ -943,7 +943,7 @@ static struct tcphdr *cake_get_tcphdr(const struct sk_buff *skb, + } + + tcph = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph); +- if (!tcph) ++ if (!tcph || tcph->doff < 5) + return NULL; + + return skb_header_pointer(skb, offset, +@@ -967,6 +967,8 @@ static const void *cake_get_tcpopt(const struct tcphdr *tcph, + length--; + continue; + } ++ if (length < 2) ++ break; + opsize = *ptr++; + if (opsize < 2 || opsize > length) + break; +@@ -1104,6 +1106,8 @@ static bool cake_tcph_may_drop(const struct tcphdr *tcph, + length--; + continue; + } ++ if (length < 2) ++ break; + opsize = *ptr++; + if (opsize < 2 || opsize > length) + break; +-- +2.30.2 + diff --git a/queue-5.10/selftests-mptcp-enable-syncookie-only-in-absence-of-.patch b/queue-5.10/selftests-mptcp-enable-syncookie-only-in-absence-of-.patch new file mode 100644 index 00000000000..d3bbf5a1226 --- /dev/null +++ b/queue-5.10/selftests-mptcp-enable-syncookie-only-in-absence-of-.patch @@ -0,0 +1,55 @@ +From 3c6eab1502574168149d1a60fde29023508c6b14 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Jun 2021 15:59:43 -0700 +Subject: selftests: mptcp: enable syncookie only in absence of reorders + +From: Paolo Abeni + +[ Upstream commit 2395da0e17935ce9158cdfae433962bdb6cbfa67 ] + +Syncookie validation may fail for OoO packets, causing spurious +resets and self-tests failures, so let's force syncookie only +for tests iteration with no OoO. + +Fixes: fed61c4b584c ("selftests: mptcp: make 2nd net namespace use tcp syn cookies unconditionally") +Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/198 +Signed-off-by: Paolo Abeni +Signed-off-by: Mat Martineau +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/net/mptcp/mptcp_connect.sh | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/tools/testing/selftests/net/mptcp/mptcp_connect.sh b/tools/testing/selftests/net/mptcp/mptcp_connect.sh +index e927df83efb9..987a914ee0df 100755 +--- a/tools/testing/selftests/net/mptcp/mptcp_connect.sh ++++ b/tools/testing/selftests/net/mptcp/mptcp_connect.sh +@@ -195,9 +195,6 @@ ip -net "$ns4" link set ns4eth3 up + ip -net "$ns4" route add default via 10.0.3.2 + ip -net "$ns4" route add default via dead:beef:3::2 + +-# use TCP syn cookies, even if no flooding was detected. +-ip netns exec "$ns2" sysctl -q net.ipv4.tcp_syncookies=2 +- + set_ethtool_flags() { + local ns="$1" + local dev="$2" +@@ -666,6 +663,14 @@ for sender in $ns1 $ns2 $ns3 $ns4;do + exit $ret + fi + ++ # ns1<->ns2 is not subject to reordering/tc delays. Use it to test ++ # mptcp syncookie support. ++ if [ $sender = $ns1 ]; then ++ ip netns exec "$ns2" sysctl -q net.ipv4.tcp_syncookies=2 ++ else ++ ip netns exec "$ns2" sysctl -q net.ipv4.tcp_syncookies=1 ++ fi ++ + run_tests "$ns2" $sender 10.0.1.2 + run_tests "$ns2" $sender dead:beef:1::2 + run_tests "$ns2" $sender 10.0.2.1 +-- +2.30.2 + diff --git a/queue-5.10/series b/queue-5.10/series index aa98f653d98..1a1a2e0a5f9 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -9,3 +9,65 @@ afs-fix-an-is_err-vs-null-check.patch mm-memory-failure-make-sure-wait-for-page-writeback-.patch kvm-lapic-restore-guard-to-prevent-illegal-apic-regi.patch fanotify-fix-copy_event_to_user-fid-error-clean-up.patch +batman-adv-avoid-warn_on-timing-related-checks.patch +mac80211-fix-skb-length-check-in-ieee80211_scan_rx.patch +mlxsw-reg-spectrum-3-enforce-lowest-max-shaper-burst.patch +mlxsw-core-set-thermal-zone-polling-delay-argument-t.patch +libbpf-fixes-incorrect-rx_ring_setup_done.patch +net-ipv4-fix-memory-leak-in-netlbl_cipsov4_add_std.patch +vrf-fix-maximum-mtu.patch +net-rds-fix-memory-leak-in-rds_recvmsg.patch +net-dsa-felix-re-enable-tx-flow-control-in-ocelot_po.patch +net-lantiq-disable-interrupt-before-sheduling-napi.patch +netfilter-nft_fib_ipv6-skip-ipv6-packets-from-any-to.patch +ice-add-ndo_bpf-callback-for-safe-mode-netdev-ops.patch +ice-parameterize-functions-responsible-for-tx-ring-m.patch +udp-fix-race-between-close-and-udp_abort.patch +rtnetlink-fix-regression-in-bridge-vlan-configuratio.patch +net-sched-act_ct-handle-dnat-tuple-collision.patch +net-mlx5e-remove-dependency-in-ipsec-initialization-.patch +net-mlx5e-fix-page-reclaim-for-dead-peer-hairpin.patch +net-mlx5-consider-roce-cap-before-init-rdma-resource.patch +net-mlx5-dr-allow-sw-steering-for-sw_owner_v2-device.patch +net-mlx5-dr-don-t-use-sw-steering-when-roce-is-not-s.patch +net-mlx5e-block-offload-of-outer-header-csum-for-udp.patch +netfilter-synproxy-fix-out-of-bounds-when-parsing-tc.patch +mptcp-fix-out-of-bounds-when-parsing-tcp-options.patch +sch_cake-fix-out-of-bounds-when-parsing-tcp-options-.patch +mptcp-try-harder-to-borrow-memory-from-subflow-under.patch +mptcp-do-not-warn-on-bad-input-from-the-network.patch +selftests-mptcp-enable-syncookie-only-in-absence-of-.patch +alx-fix-an-error-handling-path-in-alx_probe.patch +cxgb4-fix-endianness-when-flashing-boot-image.patch +cxgb4-fix-sleep-in-atomic-when-flashing-phy-firmware.patch +cxgb4-halt-chip-before-flashing-phy-firmware-image.patch +net-stmmac-dwmac1000-fix-extended-mac-address-regist.patch +net-make-get_net_ns-return-error-if-net_ns-is-disabl.patch +net-qualcomm-rmnet-update-rmnet-device-mtu-based-on-.patch +net-qualcomm-rmnet-don-t-over-count-statistics.patch +ethtool-strset-fix-message-length-calculation.patch +qlcnic-fix-an-error-handling-path-in-qlcnic_probe.patch +netxen_nic-fix-an-error-handling-path-in-netxen_nic_.patch +cxgb4-fix-wrong-ethtool-n-tuple-rule-lookup.patch +ipv4-fix-device-used-for-dst_alloc-with-local-routes.patch +net-qrtr-fix-oob-read-in-qrtr_endpoint_post.patch +bpf-fix-leakage-under-speculation-on-mispredicted-br.patch +ptp-improve-max_adj-check-against-unreasonable-value.patch +net-cdc_ncm-switch-to-eth-d-interface-naming.patch +lantiq-net-fix-duplicated-skb-in-rx-descriptor-ring.patch +net-usb-fix-possible-use-after-free-in-smsc75xx_bind.patch +net-fec_ptp-fix-issue-caused-by-refactor-the-fec_dev.patch +net-ipv4-fix-memory-leak-in-ip_mc_add1_src.patch +net-af_unix-fix-a-data-race-in-unix_dgram_sendmsg-un.patch +net-mlx5-e-switch-read-pf-mac-address.patch +net-mlx5-e-switch-allow-setting-guid-for-host-pf-vpo.patch +net-mlx5-reset-mkey-index-on-creation.patch +be2net-fix-an-error-handling-path-in-be_probe.patch +net-hamradio-fix-memory-leak-in-mkiss_close.patch +net-cdc_eem-fix-tx-fixup-skb-leak.patch +cxgb4-fix-wrong-shift.patch +bnxt_en-rediscover-phy-capabilities-after-firmware-r.patch +bnxt_en-fix-tqm-fastpath-ring-backing-store-computat.patch +bnxt_en-call-bnxt_ethtool_free-in-bnxt_init_one-erro.patch +icmp-don-t-send-out-icmp-messages-with-a-source-addr.patch +net-ethernet-fix-potential-use-after-free-in-ec_bhf_.patch diff --git a/queue-5.10/udp-fix-race-between-close-and-udp_abort.patch b/queue-5.10/udp-fix-race-between-close-and-udp_abort.patch new file mode 100644 index 00000000000..9d256928f70 --- /dev/null +++ b/queue-5.10/udp-fix-race-between-close-and-udp_abort.patch @@ -0,0 +1,77 @@ +From 540a2c44f53ab394d59e9fb21d5f4f7bed859e29 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Jun 2021 11:49:01 +0200 +Subject: udp: fix race between close() and udp_abort() + +From: Paolo Abeni + +[ Upstream commit a8b897c7bcd47f4147d066e22cc01d1026d7640e ] + +Kaustubh reported and diagnosed a panic in udp_lib_lookup(). +The root cause is udp_abort() racing with close(). Both +racing functions acquire the socket lock, but udp{v6}_destroy_sock() +release it before performing destructive actions. + +We can't easily extend the socket lock scope to avoid the race, +instead use the SOCK_DEAD flag to prevent udp_abort from doing +any action when the critical race happens. + +Diagnosed-and-tested-by: Kaustubh Pandey +Fixes: 5d77dca82839 ("net: diag: support SOCK_DESTROY for UDP sockets") +Signed-off-by: Paolo Abeni +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv4/udp.c | 10 ++++++++++ + net/ipv6/udp.c | 3 +++ + 2 files changed, 13 insertions(+) + +diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c +index 9d28b2778e8f..fbb9a11fe4a3 100644 +--- a/net/ipv4/udp.c ++++ b/net/ipv4/udp.c +@@ -2569,6 +2569,9 @@ void udp_destroy_sock(struct sock *sk) + { + struct udp_sock *up = udp_sk(sk); + bool slow = lock_sock_fast(sk); ++ ++ /* protects from races with udp_abort() */ ++ sock_set_flag(sk, SOCK_DEAD); + udp_flush_pending_frames(sk); + unlock_sock_fast(sk, slow); + if (static_branch_unlikely(&udp_encap_needed_key)) { +@@ -2819,10 +2822,17 @@ int udp_abort(struct sock *sk, int err) + { + lock_sock(sk); + ++ /* udp{v6}_destroy_sock() sets it under the sk lock, avoid racing ++ * with close() ++ */ ++ if (sock_flag(sk, SOCK_DEAD)) ++ goto out; ++ + sk->sk_err = err; + sk->sk_error_report(sk); + __udp_disconnect(sk, 0); + ++out: + release_sock(sk); + + return 0; +diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c +index 29d9691359b9..e2de58d6cdce 100644 +--- a/net/ipv6/udp.c ++++ b/net/ipv6/udp.c +@@ -1596,6 +1596,9 @@ void udpv6_destroy_sock(struct sock *sk) + { + struct udp_sock *up = udp_sk(sk); + lock_sock(sk); ++ ++ /* protects from races with udp_abort() */ ++ sock_set_flag(sk, SOCK_DEAD); + udp_v6_flush_pending_frames(sk); + release_sock(sk); + +-- +2.30.2 + diff --git a/queue-5.10/vrf-fix-maximum-mtu.patch b/queue-5.10/vrf-fix-maximum-mtu.patch new file mode 100644 index 00000000000..3aa8d1d9373 --- /dev/null +++ b/queue-5.10/vrf-fix-maximum-mtu.patch @@ -0,0 +1,65 @@ +From 3c39a8130e35c52b0f7b5feaf9a1451fd40c421e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Jun 2021 16:59:51 +0200 +Subject: vrf: fix maximum MTU + +From: Nicolas Dichtel + +[ Upstream commit 9bb392f62447d73cc7dd7562413a2cd9104c82f8 ] + +My initial goal was to fix the default MTU, which is set to 65536, ie above +the maximum defined in the driver: 65535 (ETH_MAX_MTU). + +In fact, it's seems more consistent, wrt min_mtu, to set the max_mtu to +IP6_MAX_MTU (65535 + sizeof(struct ipv6hdr)) and use it by default. + +Let's also, for consistency, set the mtu in vrf_setup(). This function +calls ether_setup(), which set the mtu to 1500. Thus, the whole mtu config +is done in the same function. + +Before the patch: +$ ip link add blue type vrf table 1234 +$ ip link list blue +9: blue: mtu 65536 qdisc noop state DOWN mode DEFAULT group default qlen 1000 + link/ether fa:f5:27:70:24:2a brd ff:ff:ff:ff:ff:ff +$ ip link set dev blue mtu 65535 +$ ip link set dev blue mtu 65536 +Error: mtu greater than device maximum. + +Fixes: 5055376a3b44 ("net: vrf: Fix ping failed when vrf mtu is set to 0") +CC: Miaohe Lin +Signed-off-by: Nicolas Dichtel +Reviewed-by: David Ahern +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/vrf.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/vrf.c b/drivers/net/vrf.c +index b9b7e00b72a8..bc96ac0c5769 100644 +--- a/drivers/net/vrf.c ++++ b/drivers/net/vrf.c +@@ -1184,9 +1184,6 @@ static int vrf_dev_init(struct net_device *dev) + + dev->flags = IFF_MASTER | IFF_NOARP; + +- /* MTU is irrelevant for VRF device; set to 64k similar to lo */ +- dev->mtu = 64 * 1024; +- + /* similarly, oper state is irrelevant; set to up to avoid confusion */ + dev->operstate = IF_OPER_UP; + netdev_lockdep_set_classes(dev); +@@ -1620,7 +1617,8 @@ static void vrf_setup(struct net_device *dev) + * which breaks networking. + */ + dev->min_mtu = IPV6_MIN_MTU; +- dev->max_mtu = ETH_MAX_MTU; ++ dev->max_mtu = IP6_MAX_MTU; ++ dev->mtu = dev->max_mtu; + } + + static int vrf_validate(struct nlattr *tb[], struct nlattr *data[], +-- +2.30.2 +